[ratelimits] No response repeated queries

Pete Ashdown pashdown at xmission.com
Mon Sep 24 02:33:47 UTC 2012


On Sun, Sep 23, 2012 at 08:15:03PM +0000, Vernon Schryver wrote:

> > From: Pete Ashdown <pashdown at xmission.com>
> 
> > First thanks for this patch.  I'm running it on our public recursors and it is
> > working much better than the bailing-wire/sticky-tape/fail2ban I had before.
> 
> I hope those public recursors use firewalls, views, ACLs, etc. to only
> answer requests from your customers.  DNS amplified reflection DoS
> attacks are a major problem in large part because people are running
> open resolvers without no rate limiting.  (Yes, authoritative servers
> would still have problems, but few of them answer forged requests for
> those party favorites.)

The whole shebang, but we still need to keep a restricted form of access open
to the world.  Our customers have bled out onto other networks, and many still
use the connection settings they had with us.  Furthermore, we see roaming
from our connected customers.  It is a balance between keeping the support
requests down from existing customers and dealing with the abusers.  Your
patch has contributed significantly towards that goal.

> "slip 0;" turns off substituting truncated responses instead of
> dropping responses.

For only duplicates, or for everything?

> Do you mean "letting out 50-80 slip responses" instead of "requests"?
> Unless there is something odd about caching, a recursive server should
> not be sending 50-80 requests/second for any (qname,qtype).

Is a slip response only in regards to a duplicate?  If a victim IP address is
being spoofed for isc.org, and they do a legitimate request for a non-isc.org
address, is it allowed through if I have slip=0?

> With slip at 10, then 50-80 truncated responses/second are inconsequential.
> They are less than 8 KByte/sec or about an old fashioned voice channel.
> Meanwhile the bad guys are sending you 499-799 requests/second or about
> 80KByte/sec.  One can hope that they'll eventually understand that
> they're spinning their wheels and try some other open resolver.

That is good to know.

> I hope the current version of the documentation is less unclear.  The
> previous version was missing the phrase "ratio of the".
> 
> With "qps-scale 250; responses-per-second 20;" and a total query rate of
> 1000 qps for all queries from all DNS clients including via TCP,
> then the effective responses-per-second rate changes to (250/1000)*20 or 5.

I think the example would be useful to include as well.  Thank you.


More information about the ratelimits mailing list