[ratelimits] can't make qps-scale change effective slip

Irwin Tillman irwin at princeton.edu
Sun Jan 6 18:39:39 UTC 2013

I'm unable to get qps-scale to change the effective slip.

Or perhaps I'm misunderstanding the behavior of qps-scale.

BIND 9.9.2-P1 with rpz2+rl-9.9.2-P1.patch (05-Jan-2013 version) applied
Solaris 10 SPARC
Sun Workshop Compiler 11.0

I observed an attack from a single IP address consisting of 7200 queries/second 
for a name (which does exist) ANY?.
These were nearly all the queries arriving at my authoritative-only server.


   rate-limit {
       responses-per-second 10;

I saw the server send approximately 3600 "truncated" responses/second to the queryer.
These were slipped responses, as expected.  
That rate made sense to me as I'd let slip default to 2.

Both the named statistics file and packet capture confirmed the query rate and the 
slipped response rate.

The normal query rate (for all queries) to this server is 13 queries/second.
I reconfigured to:

   rate-limit {
       responses-per-second 10;
       qps-scale 60;

I expected the result would be that the ongoing 7200 queries/second attack
would cause effective slip = (60/7200)*2 = 0.016.

So I expected the server would send approximately 7200 * 0.016 = 120 "truncated" responses/second to this queryer.
Instead the server continued to send approximately 3600 "truncated" responses/second to the queryer.
That appears confirmed both by the named statistics file, and my own packet capture.

I don't seem to be able to get qps-scale to change effective slip, or I'm misunderstanding qps-scale.

+++ Statistics Dump +++ (1357496364)
++ Incoming Requests ++
              866509 QUERY
++ Incoming Queries ++
                 654 A
                  11 NS
                  25 SOA
                  68 PTR
                  30 MX
                   6 TXT
                 236 AAAA
                   1 SRV
                   4 A6
              865427 ANY
++ Outgoing Queries ++
[View: default]
                 102 A
                   8 NS
                 109 AAAA
[View: hide-class-chaos]
[View: _bind]
++ Name Server Statistics ++
              866488 IPv4 requests received
              866250 requests with EDNS(0) received
                  10 auth queries rejected
              433825 responses sent
              432710 truncated responses sent
              433562 responses with EDNS(0) sent
                 651 queries resulted in successful answer
              433619 queries resulted in authoritative answer
                 200 queries resulted in non authoritative answer
                 200 queries resulted in referral answer
              432917 queries resulted in nxrrset
                   4 queries resulted in SERVFAIL
                  50 queries resulted in NXDOMAIN
              432710 queries dropped
              432712 responses dropped for rate limits
              432707 responses truncated for rate limits
++ Zone Maintenance Statistics ++

More information about the ratelimits mailing list