[ratelimits] Referrals incorrectly limited.

john jbond at ripe.net
Tue Jan 8 16:09:21 UTC 2013 

Hello,

We have attempted to use the rate limiting patch here at RIPE NCC.
However we have run into a problem.  Our authoritative servers run a lot
of  delegation-only zones e.g. cctld and the arpa address space we host.
  It appears that these responses are being incorrectly rate limited.

Attached in tcpdump.log is output from a tcpdump session showing that
the client in question queried 66 unique qnames .  named.rrl.log is the
output from the rate limiting patch showing that the client would have
been blocked.

Each of the queries results in a referral to the same set of name
servers.  i.e. the additional section in each response is exactly the
same; however i thought that as the qname was unique the limiting would
not kick in?  Perhaps this is due to the fact that there is no answer
section?

Here is the config i was using

 rate-limit {
                responses-per-second  25;
                nxdomains-per-second 0;
                errors-per-second 0;
                log-only yes;
        };

BIND 9.9.2-vjs287.12 built with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
'--disable-static' '--disable-openssl-version-check'
'--sysconfdir=/etc/named' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=' 'CXXFLAGS=-O2
-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'FFLAGS=-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic'
using OpenSSL version: OpenSSL 0.9.8e-rhel5 01 Jul 2008
using libxml2 version: 2.6.26

Patch:    rl-9.9.2.patch

Let me know if there is more info i can provide

Regards

John
-------------- next part --------------
08-Jan-2013 15:42:05.633 rate-limit: would limit responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:06.669 rate-limit: would stop limiting responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:17.383 rate-limit: would limit responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:18.639 rate-limit: would stop limiting responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:22.900 rate-limit: would limit responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:23.988 rate-limit: would stop limiting responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:24.451 rate-limit: would limit responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
08-Jan-2013 15:42:25.652 rate-limit: would stop limiting responses to 198.51.100.0/24 for 170.91.in-addr.arpa IN NS  (05bcec05)
-------------- next part --------------
15:42:17.242967 IP 198.51.100.111.12346 > 193.0.9.6.53: 6825+ NS? 170.170.91.in-addr.arpa. (41)
15:42:17.244020 IP 198.51.100.111.12353 > 193.0.9.6.53: 48100+ NS? 147.170.91.in-addr.arpa. (41)
15:42:17.244645 IP 198.51.100.111.12357 > 193.0.9.6.53: 11425+ NS? 211.170.91.in-addr.arpa. (41)
15:42:17.245479 IP 198.51.100.111.12346 > 193.0.9.6.53: 34972+ NS? 199.170.91.in-addr.arpa. (41)
15:42:17.246028 IP 198.51.100.111.12355 > 193.0.9.6.53: 5337+ NS? 89.170.91.in-addr.arpa. (40)
15:42:17.246568 IP 198.51.100.111.12354 > 193.0.9.6.53: 15316+ NS? 99.170.91.in-addr.arpa. (40)
15:42:17.247402 IP 198.51.100.111.12349 > 193.0.9.6.53: 61293+ NS? 226.170.91.in-addr.arpa. (41)
15:42:17.252746 IP 198.51.100.111.12358 > 193.0.9.6.53: 29376+ NS? 187.170.91.in-addr.arpa. (41)
15:42:17.255341 IP 198.51.100.111.12356 > 193.0.9.6.53: 57201+ NS? 137.170.91.in-addr.arpa. (41)
15:42:17.258106 IP 198.51.100.111.12345 > 193.0.9.6.53: 64105+ NS? 158.170.91.in-addr.arpa. (41)
15:42:17.260209 IP 198.51.100.111.12356 > 193.0.9.6.53: 25637+ NS? 240.170.91.in-addr.arpa. (41)
15:42:17.285180 IP 198.51.100.111.12355 > 193.0.9.6.53: 2937+ NS? 161.170.91.in-addr.arpa. (41)
15:42:17.287632 IP 198.51.100.111.12349 > 193.0.9.6.53: 10901+ NS? 140.170.91.in-addr.arpa. (41)
15:42:17.289047 IP 198.51.100.111.12353 > 193.0.9.6.53: 5836+ NS? 151.170.91.in-addr.arpa. (41)
15:42:17.290467 IP 198.51.100.111.12345 > 193.0.9.6.53: 27309+ NS? 72.170.91.in-addr.arpa. (40)
15:42:17.290768 IP 198.51.100.111.12353 > 193.0.9.6.53: 12086+ NS? 222.170.91.in-addr.arpa. (41)
15:42:17.293204 IP 198.51.100.111.12345 > 193.0.9.6.53: 11166+ NS? 18.170.91.in-addr.arpa. (40)
15:42:17.295645 IP 198.51.100.111.12352 > 193.0.9.6.53: 39386+ NS? 236.170.91.in-addr.arpa. (41)
15:42:17.372712 IP 198.51.100.111.12358 > 193.0.9.6.53: 38521+ NS? 186.170.91.in-addr.arpa. (41)
15:42:17.373354 IP 198.51.100.111.12357 > 193.0.9.6.53: 12234+ NS? 17.170.91.in-addr.arpa. (40)
15:42:17.376064 IP 198.51.100.111.12355 > 193.0.9.6.53: 57668+ NS? 78.170.91.in-addr.arpa. (40)
15:42:17.376730 IP 198.51.100.111.12360 > 193.0.9.6.53: 471+ NS? 63.170.91.in-addr.arpa. (40)
15:42:17.377841 IP 198.51.100.111.12346 > 193.0.9.6.53: 28222+ NS? 24.170.91.in-addr.arpa. (40)
15:42:17.378622 IP 198.51.100.111.12354 > 193.0.9.6.53: 4806+ NS? 155.170.91.in-addr.arpa. (41)
15:42:17.383139 IP 198.51.100.111.12360 > 193.0.9.6.53: 52949+ NS? 238.170.91.in-addr.arpa. (41)
15:42:17.383625 IP 198.51.100.111.12357 > 193.0.9.6.53: 33411+ NS? 144.170.91.in-addr.arpa. (41)
15:42:17.385732 IP 198.51.100.111.12350 > 193.0.9.6.53: 28922+ NS? 102.170.91.in-addr.arpa. (41)
15:42:17.387811 IP 198.51.100.111.12348 > 193.0.9.6.53: 42377+ NS? 91.170.91.in-addr.arpa. (40)
15:42:17.561288 IP 198.51.100.111.12356 > 193.0.9.6.53: 4876+ NS? 198.170.91.in-addr.arpa. (41)
15:42:17.561655 IP 198.51.100.111.12355 > 193.0.9.6.53: 13669+ NS? 237.170.91.in-addr.arpa. (41)
15:42:17.564855 IP 198.51.100.111.12354 > 193.0.9.6.53: 28575+ NS? 25.170.91.in-addr.arpa. (40)
15:42:17.565368 IP 198.51.100.111.12346 > 193.0.9.6.53: 46899+ NS? 160.170.91.in-addr.arpa. (41)
15:42:17.566114 IP 198.51.100.111.12359 > 193.0.9.6.53: 13618+ NS? 136.170.91.in-addr.arpa. (41)
15:42:17.566488 IP 198.51.100.111.12351 > 193.0.9.6.53: 39483+ NS? 100.170.91.in-addr.arpa. (41)
15:42:17.566610 IP 198.51.100.111.12360 > 193.0.9.6.53: 62806+ NS? 210.170.91.in-addr.arpa. (41)
15:42:17.568187 IP 198.51.100.111.12347 > 193.0.9.6.53: 4137+ NS? 173.170.91.in-addr.arpa. (41)
15:42:17.568671 IP 198.51.100.111.12350 > 193.0.9.6.53: 20949+ NS? 80.170.91.in-addr.arpa. (40)
15:42:17.571589 IP 198.51.100.111.12359 > 193.0.9.6.53: 42337+ NS? 149.170.91.in-addr.arpa. (41)
15:42:17.572364 IP 198.51.100.111.12352 > 193.0.9.6.53: 57590+ NS? 22.170.91.in-addr.arpa. (40)
15:42:17.573469 IP 198.51.100.111.12348 > 193.0.9.6.53: 29749+ NS? 253.170.91.in-addr.arpa. (41)
15:42:17.573910 IP 198.51.100.111.12352 > 193.0.9.6.53: 59110+ NS? 255.170.91.in-addr.arpa. (41)
15:42:17.575014 IP 198.51.100.111.12360 > 193.0.9.6.53: 47370+ NS? 12.170.91.in-addr.arpa. (40)
15:42:17.575771 IP 198.51.100.111.12346 > 193.0.9.6.53: 63940+ NS? 254.170.91.in-addr.arpa. (41)
15:42:17.575785 IP 198.51.100.111.12348 > 193.0.9.6.53: 38443+ NS? 223.170.91.in-addr.arpa. (41)
15:42:17.589141 IP 198.51.100.111.12349 > 193.0.9.6.53: 55016+ NS? 87.170.91.in-addr.arpa. (40)
15:42:17.590345 IP 198.51.100.111.12351 > 193.0.9.6.53: 38298+ NS? 177.170.91.in-addr.arpa. (41)
15:42:17.592229 IP 198.51.100.111.12356 > 193.0.9.6.53: 46482+ NS? 64.170.91.in-addr.arpa. (40)
15:42:17.592957 IP 198.51.100.111.12351 > 193.0.9.6.53: 7482+ NS? 66.170.91.in-addr.arpa. (40)
15:42:17.593620 IP 198.51.100.111.12355 > 193.0.9.6.53: 14922+ NS? 233.170.91.in-addr.arpa. (41)
15:42:17.595653 IP 198.51.100.111.12353 > 193.0.9.6.53: 32199+ NS? 195.170.91.in-addr.arpa. (41)
15:42:17.595893 IP 198.51.100.111.12351 > 193.0.9.6.53: 38832+ NS? 220.170.91.in-addr.arpa. (41)
15:42:17.597201 IP 198.51.100.111.12359 > 193.0.9.6.53: 35078+ NS? 0.170.91.in-addr.arpa. (39)
15:42:17.600857 IP 198.51.100.111.12351 > 193.0.9.6.53: 48462+ NS? 162.170.91.in-addr.arpa. (41)
15:42:17.603152 IP 198.51.100.111.12351 > 193.0.9.6.53: 5778+ NS? 79.170.91.in-addr.arpa. (40)
15:42:17.603634 IP 198.51.100.111.12350 > 193.0.9.6.53: 59122+ NS? 249.170.91.in-addr.arpa. (41)
15:42:17.604657 IP 198.51.100.111.12358 > 193.0.9.6.53: 61985+ NS? 73.170.91.in-addr.arpa. (40)
15:42:17.605404 IP 198.51.100.111.12353 > 193.0.9.6.53: 34196+ NS? 251.170.91.in-addr.arpa. (41)
15:42:17.606421 IP 198.51.100.111.12347 > 193.0.9.6.53: 215+ NS? 246.170.91.in-addr.arpa. (41)
15:42:17.606485 IP 198.51.100.111.12348 > 193.0.9.6.53: 46219+ NS? 97.170.91.in-addr.arpa. (40)
15:42:17.613379 IP 198.51.100.111.12352 > 193.0.9.6.53: 34606+ NS? 95.170.91.in-addr.arpa. (40)
15:42:17.613694 IP 198.51.100.111.12360 > 193.0.9.6.53: 36842+ NS? 184.170.91.in-addr.arpa. (41)
15:42:17.620329 IP 198.51.100.111.12348 > 193.0.9.6.53: 58641+ NS? 84.170.91.in-addr.arpa. (40)
15:42:17.621118 IP 198.51.100.111.12355 > 193.0.9.6.53: 39122+ NS? 247.170.91.in-addr.arpa. (41)
15:42:17.629740 IP 198.51.100.111.12351 > 193.0.9.6.53: 26824+ NS? 169.170.91.in-addr.arpa. (41)
15:42:17.632967 IP 198.51.100.111.12346 > 193.0.9.6.53: 30869+ NS? 207.170.91.in-addr.arpa. (41)

More information about the ratelimits mailing list