[ratelimits] RRL vs other approaches

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Feb 20 07:28:01 UTC 2013

Hash: SHA1

On 02/19/2013 04:02 PM, Paul Vixie wrote:
> ...
> Jared Mauch wrote:
>> On Feb 19, 2013, at 8:48 AM, Edward Lewis wrote:
>>> ...
>> Sending back TC to "authenticate" clients would likely help
>> reduce the abuse of 'udp any'
> no. really. not. the subsequent udp queries you would
> prospectively receive following a successful tcp session in the
> above scenario need not be truly sourced. using a successful tcp
> session as a gate to a lightweight udp session is entirely wrong in
> terms of protecting spoofed-source victims from your orbiting death
> ray projector. (i'm touchy about this since i had the same idea and
> vernon had to straighten me out on the subject.)
>> I was "forced" to rebuild my dns server in the past week or so..
>> I have not built-in the rrl patch yet as part of the running
>> server and have noticed that the CPU usage is significantly
>> lower.  (Instead of "150%" it's about 50% of a core).
>> Right now I'm debating if it makes sense to continue to patch w/
>> rrl due to the much higher "cost" (2-3x)
> as warren said, this sounds like pilot error or measurement
> failure. your cpu costs under RRL should be far lower during an
> attack since you're avoiding the response marshalling cost, and
> should be about the same during non-attack since the hash table is
> preallocated and the hashing is pretty quick. please investigate
> your claim above, and report back?

In some measurements in our test lab we have seen BIND9 with RRL has
4% less CPU utilization when under attack.

Best regards,

> paul
> _______________________________________________ ratelimits mailing
> list ratelimits at lists.redbarn.org 
> http://lists.redbarn.org/mailman/listinfo/ratelimits

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/


More information about the ratelimits mailing list