[ratelimits] new type of attack or stuck client?

Vernon Schryver vjs at rhyolite.com
Thu May 23 23:31:32 UTC 2013

> From: "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com>

> Is this an attack or just a stuck client?  Up to this point the only
> attacks I saw were forged UDP/ANY against domains I'm authoritative for.

7 requests/sec  (given 'responses-per-second 5', I assume there were 5
"consider limiting" log messages before the 2 slips)
isn't much of an attack even if the responses were 3 KBytes instead
of practically empty NODATA.

7 requests/second could be part of a distributed attack, but a bad guy
smart enough to mount a distributed attack would surely pick non-empty

smart enough to stay below 5 qps.

> Maybe there is a need for a hard slip limit to break loops like this?
> Eg. after a certain number of slips the server simply starts dropping.

There's no law that requires "slip 1".
In other words, if you use a "slip" value larger than 1, you'll drop queries.

The goals of RRL do not include policing stupid DNS clients, but only
(1) to mitigate DNS reflection DoS attacks with (2) minimum collateral
damage.  As long as bad guys cannot reflect more than 1 byte toward
the target for every byte sent to the reflecting DNS server, the DNS
server is bad guys and goal #1 is met.

> $ grep "view authoritative: slip NODATA response to for dumbcat.snafu.org IN" /var/named/data/rl.log | wc
>     877   15786  163024

877 plus some number of 5 qps responses plus some other number of
isolated queries over what period?

I bet you've got some a too smart by half idiot using your cute name
dumbcat.snafu.org as some sort of network health beacon.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list