[ratelimits] defaults for DNS-RRL

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu Mar 7 15:37:53 UTC 2013

On 07.03.13 15:45, Vernon Schryver wrote:
>> From: Daniel Stirnimann <stirnima at switch.ch>
>> I got the other definition from the paper
>> "Defending against DNS reflection amplification attacks",
>> http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
>> "MAX-TABLE-SIZE RRL needs to keep state of the unique responses in order
>> to be able to assign penalties. This entry sets the maximum amount of
>> entries (called state blobs) which can be stored at the same time. This
>> should be set to the product of the window size and maximum queries per
>> second. 10000 state blobs should take about one megabyte of server
>> memory. MaxQPS Window = Tablesize."
> Those who know the NSD RRL implementation might want to explain that.

The definition is for BIND9 RRL. It looks quite similar to the
definition in the tech note (http://ss.vix.su/~vixie/isc-tn-2012-1.txt):

I suppose I should stick to the ARM version for the most current


More information about the ratelimits mailing list