[ratelimits] RRL vs other approaches

David Miller dmiller at tiggee.com
Tue Feb 19 15:50:28 UTC 2013


On 2/19/2013 10:02 AM, Paul Vixie wrote:
> ...
> 
> Jared Mauch wrote:
>> On Feb 19, 2013, at 8:48 AM, Edward Lewis wrote:
>>
>>> ...
>>
>> Sending back TC to "authenticate" clients would likely help reduce the abuse of 'udp any'
> 
> no. really. not. the subsequent udp queries you would prospectively
> receive following a successful tcp session in the above scenario need
> not be truly sourced. using a successful tcp session as a gate to a
> lightweight udp session is entirely wrong in terms of protecting
> spoofed-source victims from your orbiting death ray projector. (i'm
> touchy about this since i had the same idea and vernon had to straighten
> me out on the subject.)

Agreed, if you are only "authenticating" source IP.  If TC->TCP was
"authenticating" other characteristics as well I would hope for better
results.  Some characteristics that could be used, off the top of my
head, would be TTL, DO bit, EDNS/bufsize.

> 
>> I was "forced" to rebuild my dns server in the past week or so.. I have not built-in the rrl patch yet as part of the running server and have noticed that the CPU usage is significantly lower.  (Instead of "150%" it's about 50% of a core).
>>
>> Right now I'm debating if it makes sense to continue to patch w/ rrl due to the much higher "cost" (2-3x)
> 
> as warren said, this sounds like pilot error or measurement failure.
> your cpu costs under RRL should be far lower during an attack since
> you're avoiding the response marshalling cost, and should be about the
> same during non-attack since the hash table is preallocated and the
> hashing is pretty quick. please investigate your claim above, and report
> back?
> 
> paul
> 
> 
> 
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
> 



More information about the ratelimits mailing list