[ratelimits] defaults for DNS-RRL
Daniel Stirnimann
stirnima at switch.ch
Thu Mar 7 10:13:45 UTC 2013
Hi Tony
Thanks for your corrections of the defaults. Seems I took up the value 5
from somewhere else.
>> // set to max. of query load the server can handle x WINDOW
>> max-table-size 1000000;
>
> The documentation suggests that the table size should be about
> the query rate per second, not per window.
You are right, the documentation suggests to set it only to about the
query rate per seconds. I got the other definition from the paper
"Defending against DNS reflection amplification attacks",
http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
"MAX-TABLE-SIZE RRL needs to keep state of the unique responses in order
to be able to assign penalties. This entry sets the maximum amount of
entries (called state blobs) which can be stored at the same time. This
should be set to the product of the window size and maximum queries per
second. 10000 state blobs should take about one megabyte of server
memory. MaxQPS �Window = Tablesize."
Daniel
More information about the ratelimits
mailing list