[ratelimits] FYI-- a story about rate limit deployment

Mark Boolootian booloo at ucsc.edu
Thu Jan 24 20:09:55 UTC 2013

Attached is a graph showing the success of deploying RRL here.  Our
authoritative name servers are generally very lightly loaded,
typically seeing no more than 50 packets/second.  On January 5th, we
began seeing reflection attacks targeting a variety of destinations,
with pps rates jumping to 5K+, where they have remained.  We installed
the RRL patches on January 8th, configured thusly:

  rate-limit {
    responses-per-second 5;
    window 5;

The benefit was immediate and significant.  In the attached graph,
blue is traffic outbound from the authoritative name servers, green

-------------- next part --------------
A non-text attachment was scrubbed...
Name: DNS-RRL.png
Type: image/png
Size: 21480 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130124/ac1071c4/attachment-0001.png>

More information about the ratelimits mailing list