[ratelimits] rrl mention in an nlnetlabs tech report
Paul Vixie
paul at redbarn.org
Thu Aug 22 18:02:39 UTC 2013
saw this:
> Another pro-active technique is Response Rate
> Limiting (RRL) [29]. It limits the number of unique
> responses sent by the authoritative server. Roughly,
> it works by keeping track of of several pieces of
> information of the responses. With every subsequent
> request, the name server checks whether the
> response that would be sent exceeds the set limit
> of responses per second per set of information. If
> this is the case, it either responds only once in a
> number of queries (configurable) or it sends a
> truncated (TC-flag set) answer, forcing a legitimate
> resolver to retry the query over TCP. RRL is currently
> the most promising technique and is implemented
> in the most popular name server software like
> BIND [14], NSD [20] and Knot [17]. The effectiveness
> of RRL is debated, it stops unsophisticated
> attacks using reflection.
here:
http://www.nlnetlabs.nl/downloads/publications/report-rp2-lexis.pdf
More information about the ratelimits
mailing list