[ratelimits] adding "all-responses-per-second X"
Vernon Schryver
vjs at rhyolite.com
Sun Sep 16 22:06:51 UTC 2012
> From: sthaug at nethelp.no
> I can confirm this observation. Example from one of our authoritative
> servers running 9.8.3-P2 and the ratelimit patch:
>
> 16-Sep-2012 16:00:10.825 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY adressa.no
> 16-Sep-2012 16:00:10.862 rate-limit: info: limiting responses to 121.10.112.0/24 for IN ANY brreg.no
> ...
Is that a motion or vote in favor of extending the RRL patch or
do you prefer using simple firewall ratelimiting for such attacks?
Please note that those log entries do not confirm the idea of
requesting many name but each just below the responses-per-second
threshold so that no rate limiting happens.
However, continually requesting N/second each of M valid domains would
reflect about M*responses-per-second responses/second
and (M*(N-responses-per-second))/slip small TC=1 responses/second
(with slip=2 by default). That might be objectionable.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list