[ratelimits] RRL patch is too talkative when dropping queries

Vernon Schryver vjs at rhyolite.com
Wed Jun 12 16:57:14 UTC 2013


> From: Phil Mayers <p.mayers at imperial.ac.uk>

> > There should be no danger of the messages filling a disk if the channels
> > that receive query-errors category messages have limits.  For example:
>
> I think the problem here is that they're being sent over syslog, so the 
> bind limits don't apply?

Yes, the BIND logging file size limits do not affect messages sent to
syslog.  However, the messages seem to me to have a BIND log file
format instead of a syslog format.  The timestamp format differs from
BSD syslog.  There is no hostname, process name, or process ID.

I just now noticed that the messages are a mixture of "slip" and
"drop" messages, and so are less similar than I thought.  That
suggests that the familiar syslog message compression would not
help if the messages were being sent to syslog.

I also just now realized that the strings of astrisks (*) are obfuscations
of IP addresses.  The fact that the "slip" and "drop" messages do not
alternate suggests the IP addresses differ.  That suggests that the
DNS reflection attack wa against a network instead of a host, that
there were multiple concurrent attacks, or that the messages are
pointing out possible problems that might be addressed by exempting
some IP addresses from RRL with views or exempt-clients{}.


Vernon Schryver    vjs at rhyolite.com


More information about the ratelimits mailing list