[ratelimits] rrl mention in an nlnetlabs tech report

Jay Daley jay at nzrs.net.nz
Thu Aug 22 19:29:32 UTC 2013

On 23/08/2013, at 6:02 AM, Paul Vixie <paul at redbarn.org> wrote:

> saw this:
>> Another pro-active technique is Response Rate
>> Limiting (RRL) [29]. It limits the number of unique
>> responses sent by the authoritative server. Roughly,
>> it works by keeping track of of several pieces of
>> information of the responses. With every subsequent
>> request, the name server checks whether the
>> response that would be sent exceeds the set limit
>> of responses per second per set of information. If
>> this is the case, it either responds only once in a
>> number of queries (configurable) or it sends a
>> truncated (TC-flag set) answer, forcing a legitimate
>> resolver to retry the query over TCP. RRL is currently
>> the most promising technique and is implemented
>> in the most popular name server software like
>> BIND [14], NSD [20] and Knot [17]. The effectiveness
>> of RRL is debated, it stops unsophisticated
>> attacks using reflection. 

Is RRL intended to stop anything other than reflection?  (maybe possibly outgoing congestion?)


Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley

More information about the ratelimits mailing list