[ratelimits] RRL vs other approaches
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Feb 20 07:28:01 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/19/2013 04:02 PM, Paul Vixie wrote:
> ...
>
> Jared Mauch wrote:
>> On Feb 19, 2013, at 8:48 AM, Edward Lewis wrote:
>>
>>> ...
>>
>> Sending back TC to "authenticate" clients would likely help
>> reduce the abuse of 'udp any'
>
> no. really. not. the subsequent udp queries you would
> prospectively receive following a successful tcp session in the
> above scenario need not be truly sourced. using a successful tcp
> session as a gate to a lightweight udp session is entirely wrong in
> terms of protecting spoofed-source victims from your orbiting death
> ray projector. (i'm touchy about this since i had the same idea and
> vernon had to straighten me out on the subject.)
>
>> I was "forced" to rebuild my dns server in the past week or so..
>> I have not built-in the rrl patch yet as part of the running
>> server and have noticed that the CPU usage is significantly
>> lower. (Instead of "150%" it's about 50% of a core).
>>
>> Right now I'm debating if it makes sense to continue to patch w/
>> rrl due to the much higher "cost" (2-3x)
>
> as warren said, this sounds like pilot error or measurement
> failure. your cpu costs under RRL should be far lower during an
> attack since you're avoiding the response marshalling cost, and
> should be about the same during non-attack since the hash table is
> preallocated and the hashing is pretty quick. please investigate
> your claim above, and report back?
In some measurements in our test lab we have seen BIND9 with RRL has
4% less CPU utilization when under attack.
Best regards,
Matthijs
>
> paul
>
>
> _______________________________________________ ratelimits mailing
> list ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQEcBAEBAgAGBQJRJHr+AAoJEA8yVCPsQCW5qz4H/Air36ES5oIUxWL2b2L8i1eP
yfStPR/xCFwOTI1W7N6HeMrcChZDg7HN4IZfWu304mKat3RBJZv3TiGRm33dZEnR
Crw3ooVD117cVbUB2Y0zgd8+7sJ3boQav96siAW+qCozf7mo4SxcnsBhG22kWvoY
HFvzBHG51yRemDYz7aVMgoeGosDTBARoFQiNL+jbUOBaRwh1OnizlCvQOnUgMDjB
qHid2lJgd/FpBwwkLZICRGfyNFnnxzjVsP6DDarPg4NexCbel5KfXcH1O3jLOdIR
+t1jOBM7jZUCDJii4eP59L6yeQT1V0SChWyDEfXr2QTkYPovVOT0L/o9GEu6hRc=
=5oYW
-----END PGP SIGNATURE-----
More information about the ratelimits
mailing list