[ratelimits] RRL patch is too talkative when dropping queries
Vernon Schryver
vjs at rhyolite.com
Wed Jun 12 16:57:14 UTC 2013
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> > There should be no danger of the messages filling a disk if the channels
> > that receive query-errors category messages have limits. For example:
>
> I think the problem here is that they're being sent over syslog, so the
> bind limits don't apply?
Yes, the BIND logging file size limits do not affect messages sent to
syslog. However, the messages seem to me to have a BIND log file
format instead of a syslog format. The timestamp format differs from
BSD syslog. There is no hostname, process name, or process ID.
I just now noticed that the messages are a mixture of "slip" and
"drop" messages, and so are less similar than I thought. That
suggests that the familiar syslog message compression would not
help if the messages were being sent to syslog.
I also just now realized that the strings of astrisks (*) are obfuscations
of IP addresses. The fact that the "slip" and "drop" messages do not
alternate suggests the IP addresses differ. That suggests that the
DNS reflection attack wa against a network instead of a host, that
there were multiple concurrent attacks, or that the messages are
pointing out possible problems that might be addressed by exempting
some IP addresses from RRL with views or exempt-clients{}.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list