[ratelimits] can't make qps-scale change effective slip
vjs at rhyolite.com
Mon Jan 7 16:22:49 UTC 2013
> From: Bob Harold <rharolde at umich.edu>
> It would make sense to me to optionally be able to set the maximum slip
> rate in terms of slips per second, or seconds per slip, since that is what
> you would end up with. That would be easier than working through
> calculations to decide what rate I would get.
In a way, everything a DNS server does can be viewed as something per
second. However, the reason we called them "slip" is that they are
"slippage" of the main response dropping. There is a separate 4 bit
counter (hence the tiny range for the parameter) that counts each
dropped response. When the count reaches its limit, a tiny truncated
response is sent instead of nothing and the count is reset.
On the other hand, I see the problem in setting "responses-per-second 10"
and then sending 2000 truncated responses/second.
Perhaps responses limited by all-per-second should not slipped.
> On a related note, can I set responses per second to less than 1 per
> second? I see an ongoing attacker sending one packet every 3 seconds (for
> isc.org any), and given enough open resolvers, they could be conducting an
> attack under the radar.
I think diffuse reflection attacks are an open problem.
On one hand, the available "responses-per-second 1" does not
differ very much from "responses-per-second 0.3"
On the other hand, what DNS response packet rate should we try to stop?
The big boys don't notice DoS attacks smaller than GBytes/second, but
those of us with 6 Mbit/sec or less of DSL don't want 100 3 KByte
DNSSEC responses/second. To defend 6 Mbit/sec against a 100K bot net,
you'd need "responses-per-second 0.001" or smaller.
How low can you set the RRL limit without blocking legitimate DNS
clients such flocks behind NAT boxes or big ISP recursive server
farms crowded into CIDR blocks?
To detect responses repeated every 1000 second, a DNS server must
remember all responses sent for at least 1000 seconds. That could
be a memory issue if the DNS server sends 50,000 legitimate
A single DNS client might repeat its requests more often than once
per 1000 seconds because its cache is limited or because the TTLs in
the response are shorter than 1000 seconds.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits