[ratelimits] new type of attack or stuck client?
Wolfgang S. Rupprecht
wolfgang.rupprecht at gmail.com
Thu May 23 23:05:07 UTC 2013
Is this an attack or just a stuck client? Up to this point the only
attacks I saw were forged UDP/ANY against domains I'm authoritative for.
Maybe there is a need for a hard slip limit to break loops like this?
Eg. after a certain number of slips the server simply starts dropping.
$ grep "view authoritative: slip NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN" /var/named/data/rl.log | wc
877 15786 163024
23-May-2013 15:30:31.420 queries: info: client 66.180.248.130#60934 (dumbcat.snafu.org): view authoritative: query: dumbcat.snafu.org IN A - (24.6.202.204)
23-May-2013 15:30:31.420 rate-limit: debug 3: consider limiting NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN (05b0ea2c)
23-May-2013 15:30:31.421 queries: info: client 66.180.248.130#60934 (dumbcat.snafu.org): view authoritative: slip NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN (05b0ea2c)
23-May-2013 15:30:31.449 queries: info: client 66.180.248.130#33476 (dumbcat.snafu.org): view authoritative: query: dumbcat.snafu.org IN A - (24.6.202.204)
23-May-2013 15:30:31.449 rate-limit: debug 3: consider limiting NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN (05b0ea2c)
23-May-2013 15:30:31.449 queries: info: client 66.180.248.130#33476 (dumbcat.snafu.org): view authoritative: slip NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN (05b0ea2c)
23-May-2013 15:30:31.477 queries: info: client 66.180.248.130#4624 (dumbcat.snafu.org): view authoritative: query: dumbcat.snafu.org IN A - (24.6.202.204)
23-May-2013 15:30:31.477 rate-limit: debug 3: consider limiting NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN (05b0ea2c)
view "authoritative" {
recursion no;
additional-from-auth no;
additional-from-cache no;
notify yes; // send NOTIFY msgs for updated zones.
empty-zones-enable no;
rate-limit {
responses-per-second 5; // default: 0
slip 1; // default: 2
exempt-clients {
clients; // all of our networks.
wsrcc-acl; // our primaries and secondaries.
};
// window 15; // default: 15 sec
};
};
-wolfgang
More information about the ratelimits
mailing list