[ratelimits] Referrals incorrectly limited.

john jbond at ripe.net
Wed Jan 9 18:38:50 UTC 2013

On 1/9/13 6:18 PM, Vernon Schryver wrote:
>> From: john <jbond at ripe.net>
>>> I do not understand "not under that attack at the moment" reasoning.
>> The point is more that enabling the patch will block legitimate traffic.
> Do you disagree with my claim that in almost all legitimate cases not
> in the middle of an attack, RRL does not *block* DNS traffic but only
> slows it down by forcing legitimate DNS clients to retry or switch to TCP?
No I agree admittedly I do keep forgetting that fact; however the first
concern I have is that if we force a lot of this traffic over to TCP we
could start to exhaust TCP resources.

> Consider computing the next address by adding 16777259 to the 32
> number representing the previous address.  I think that would scatter
> requests widely enough to avoid small RRL limits at any DNS server
> responsible for a modest number of in-addr.arpa /16 blocks.  It also
> doesn't do badly for /8 authorities, although caching should make that
> moot.  If 30% of IPv4 addresses is delegated to RIPE, then each hit
> on RIPE servers should be separated by hits on 2 other authorities,
> thereby slowing the hits on RIPE DNS servers.
> 16777259 might be improved; it is merely the smallest prime > 2**24.
> It might be better to use the multiplicative group instead of addition.
Thanks ill pass this advice on to the researcher.


More information about the ratelimits mailing list