[ratelimits] Referrals incorrectly limited.
vjs at rhyolite.com
Tue Jan 8 21:51:17 UTC 2013
> From: john <jbond at ripe.net>
> It appears that these responses are being incorrectly rate limited.
> Attached in tcpdump.log is output from a tcpdump session showing that
> the client in question queried 66 unique qnames . named.rrl.log is the
> output from the rate limiting patch showing that the client would have
> been blocked.
> Each of the queries results in a referral to the same set of name
> servers. i.e. the additional section in each response is exactly the
> same; however i thought that as the qname was unique the limiting would
> not kick in? Perhaps this is due to the fact that there is no answer
That rate limiting applies to referrals is an intended feature.
Without that feature, a bad guy could get a recursive server throttled
or worse as it tries to deal with a flood of requests.
Also without that feature, referrals for random, invalid names would be
useful from DNS reflection attacks.
`dig +dnssec asdfasdf.ripe.net ns @a.gtld-servers.net` is good for
an amplification of about 11X.
`dig +dnssec 220.127.116.11.91.in-addr.arpa ns @ns.ripe.net` gives me
a response of 362 bytes. That means requests for
<random>.170.170.91.in-addr.arpa ns" are good for reflection attacks
with an amplification of about 6.5X. That is as not big as other
available amplifications, but it has the advantage to bad guys of what
I assume is your substantial bandwidth and it might not be noticed as
soon as similar attacks using the roots.
What is a legitimate reason for more than 25 referrals per second
(from your "responses-per-second 25") from a single DNS client
for reverse DNS lookups in 18.104.22.168/16?
Are you sure you do not want to squelch 198.51.100.111 for reasons
other than DNS reflection attacks?
If 198.51.100.111 were some other address, my guess would be that it
is one of the many evil DNS clients that walk through in-addr.arpa
looking for domain names to abuse.
Did you replace the real DNS client IP address in your mail message
with 198.51.100.111? If not, that it is appears at all in your DNS
server logs sounds like a problem.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits