[ratelimits] Analysis of BIND RRL patch + question

ratelimits at elsif.net ratelimits at elsif.net
Mon Feb 11 18:59:02 UTC 2013 

I wanted to do some analysis on how well RRL was protecting us.

First, I want to point out that I made bad assumptions early.

I assumed...

..this was a successful query/response...
11-Feb-2013 12:04:08.235 queries: info: client 192.228.XX.YY#4130 (thisisatestbyjake0.ca): query: thisisatestbyjake0.ca IN A + (192.228.28.9)

..this was a TCP reset response...
11-Feb-2013 12:04:08.374 queries: info: client 192.228.XX.YY#4130 (thisisatestbyjake6.ca): slip NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)

..this was an entirely dropped response...
11-Feb-2013 12:04:08.305 queries: info: client 192.228.XX.YY#4130 (thisisatestbyjake5.ca): drop NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)

My assumption was bad because the first entry, "query: " line is doing exactly as it always has:  logging the query only.

It took me using a "repeat 10 dig ...", with the ports randomizing, to see that the "slip" and "drop" always correlate to a "query" line.

I had missed this in just watching real-world attacks scroll by, because more often than not, the attacker uses the same port ~25 times.



Next...I wanted to see how effective it was with the default/recommended settings of 5/5 as such:
        rate-limit {
                responses-per-second 5;
                window 5;
        };

Using "dnsperf" to send 10 queries that would all generate the same NXDOMAIN response:
[Timeout] Query timed out: msg id 3
[Timeout] Query timed out: msg id 8
[Timeout] Query timed out: msg id 9
  Percentage completed:  70.00%
  Percentage lost:       30.00%

11-Feb-2013 12:14:10.616 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake0.ca): query: thisisatestbyjake0.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.616 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake1.ca): query: thisisatestbyjake1.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.685 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake2.ca): query: thisisatestbyjake2.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.685 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake4.ca): query: thisisatestbyjake4.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.685 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake5.ca): query: thisisatestbyjake5.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.686 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake3.ca): query: thisisatestbyjake3.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.686 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake3.ca): drop NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)
11-Feb-2013 12:14:10.754 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake6.ca): query: thisisatestbyjake6.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.754 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake6.ca): slip NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)
11-Feb-2013 12:14:10.754 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake8.ca): query: thisisatestbyjake8.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.754 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake7.ca): query: thisisatestbyjake7.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.755 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake9.ca): query: thisisatestbyjake9.ca IN A + (192.228.28.9)
11-Feb-2013 12:14:10.755 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake8.ca): drop NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)
11-Feb-2013 12:14:10.755 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake7.ca): slip NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)
11-Feb-2013 12:14:10.755 queries: info: client 192.228.XX.YY#17531 (thisisatestbyjake9.ca): drop NXDOMAIN response to 192.228.XX.0/24 for ca IN A  (0000047e)

So...7 out of 10 queries responded to, says dnsperf and the BIND query log.

That 7/10 figure is very consistent.  What is not consistent is which of the responses are dropped.

This appears due to the fact that these queries, sent at a very high rate, do not always arrive in the order they were sent, and thus, nor do their responses.

The numbers are very much improved when a larger amount of queries are sent.  In this example, I send 100 queries.

Using "dnsperf" to send 100 queries that would all generate the same NXDOMAIN response:
  Percentage completed:  52.00%
  Percentage lost:       48.00%

So...52 out of 100 queries responded to, says dnsperf and the BIND query log.  This figure is also very consistent.

When I send 1000 queries...it takes 11 seconds.  So... ~90 queries/second.
  Percentage completed:  50.20%
  Percentage lost:       49.80%

This means that I've responded to ~45 queries/second.

This begs the question, then...

Why did I respond to 45 queries/second when I'm configured to do:
        responses-per-second 5;

-Jake

More information about the ratelimits mailing list