[ratelimits] new type of attack or stuck client?

Wolfgang S. Rupprecht wolfgang.rupprecht at gmail.com
Thu May 23 23:05:07 UTC 2013 

Is this an attack or just a stuck client?  Up to this point the only
attacks I saw were forged UDP/ANY against domains I'm authoritative for.

Maybe there is a need for a hard slip limit to break loops like this?
Eg. after a certain number of slips the server simply starts dropping.

$ grep "view authoritative: slip NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN" /var/named/data/rl.log | wc
    877   15786  163024

23-May-2013 15:30:31.420 queries: info: client 66.180.248.130#60934 (dumbcat.snafu.org): view authoritative: query: dumbcat.snafu.org IN A - (24.6.202.204)
23-May-2013 15:30:31.420 rate-limit: debug 3: consider limiting NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN  (05b0ea2c)
23-May-2013 15:30:31.421 queries: info: client 66.180.248.130#60934 (dumbcat.snafu.org): view authoritative: slip NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN  (05b0ea2c)
23-May-2013 15:30:31.449 queries: info: client 66.180.248.130#33476 (dumbcat.snafu.org): view authoritative: query: dumbcat.snafu.org IN A - (24.6.202.204)
23-May-2013 15:30:31.449 rate-limit: debug 3: consider limiting NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN  (05b0ea2c)
23-May-2013 15:30:31.449 queries: info: client 66.180.248.130#33476 (dumbcat.snafu.org): view authoritative: slip NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN  (05b0ea2c)
23-May-2013 15:30:31.477 queries: info: client 66.180.248.130#4624 (dumbcat.snafu.org): view authoritative: query: dumbcat.snafu.org IN A - (24.6.202.204)
23-May-2013 15:30:31.477 rate-limit: debug 3: consider limiting NODATA response to 66.180.248.0/24 for dumbcat.snafu.org IN  (05b0ea2c)

view "authoritative" {
	recursion no;
	additional-from-auth no;
	additional-from-cache no;
	notify yes;			// send NOTIFY msgs for updated zones.
	empty-zones-enable no;

	rate-limit {
	    responses-per-second 5;	      // default: 0
	    slip 1;			      // default: 2
	    exempt-clients { 
	    	   clients;		      // all of our networks.
		   wsrcc-acl;                 // our primaries and secondaries.
	    };
	    // window 15;	              // default: 15 sec
	};
};

-wolfgang

More information about the ratelimits mailing list