[ratelimits] RRL logs understanding

Vernon Schryver vjs at rhyolite.com
Fri Aug 23 12:19:03 UTC 2013

> From GeertJan.deGroot at xs4all.nl Fri Aug 23 08:55:02 2013

> > You can do other things with RRL.  One petty example is my use of
> > RRL to inconvenience those who obsessively walk my reverse DNS
> > zones.  They don't hit hard eough to congest my links or kill my
> > DNS servers, but they do irk me.
> Are you sure that works as intended?
> IP's that have a PTR record still yield a response which is not
> rate limited because the response is different for each IP
> so RRL doesn't kick in and this doesn't help limiting enumerating the zone.

That is true about address blocks or PTR zones that are fully
populated.  However, the zone for my petty and trivial block is mostly
empty and so they get many NXDOMAIN responses which are noticed by RRL.
They appear in my RRL logs.

There is no legitimate reason to enumerate all of the labels in a
domain or all of the types for a single domain as fast as the authority
server responds.  All of those who do that are bad guys.

However, those to do it are looking for information for evil (e.g.
spam) instead of trying an immediate DoS attack.  You could make a
varient of RRL that ignores the qtype or the final label of the qname,
but that would only affect the utter idiots who sequentially walk
zones.  Anyone with the least clue about numbers spreads out DNS queries
related to IP addresses (either PTR or server IP address).  For example,
because the prime 65537 is a generator of additive group 2**32, the
following would hit each valid IPv4 address exactly once, but each hit
on any given /24 is separated by hits on about 65K other /24's:

    addr = 0;
    for (i = 0; i < 4294967296; ++i) {
        addr = (addr + 65537) % 4294967296;
        if (valid_ip(addr))

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list