[ratelimits] rrl mention in an nlnetlabs tech report

Olaf Kolkman olaf at NLnetLabs.nl
Fri Aug 23 08:01:24 UTC 2013





On 22 aug. 2013, at 20:02, Paul Vixie <paul at redbarn.org> wrote:

> saw this:
> 
>> Another pro-active technique is Response Rate
>> Limiting (RRL) [29]. It limits the number of unique
>> responses sent by the authoritative server. Roughly,
>> it works by keeping track of of several pieces of
>> information of the responses. With every subsequent
>> request, the name server checks whether the
>> response that would be sent exceeds the set limit
>> of responses per second per set of information. If
>> this is the case, it either responds only once in a
>> number of queries (configurable) or it sends a
>> truncated (TC-flag set) answer, forcing a legitimate
>> resolver to retry the query over TCP. RRL is currently
>> the most promising technique and is implemented
>> in the most popular name server software like
>> BIND [14], NSD [20] and Knot [17]. The effectiveness
>> of RRL is debated, it stops unsophisticated
>> attacks using reflection. 
> 
> here:
> 
> http://www.nlnetlabs.nl/downloads/publications/report-rp2-lexis.pdf


Made by one of our interns.

I wonder if you wanted to express something more than "look at this" with the specific quote?

--Olaf

PS. other related intern work: http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130823/35f18b3c/attachment.pgp>


More information about the ratelimits mailing list