[ratelimits] rate limiting options for large recursors

Vernon Schryver vjs at rhyolite.com
Thu Oct 3 00:33:31 UTC 2013 

> From: William Taylor <williamt at corp.sonic.net>

> I was wondering if anyone could recommend some starting rate-limit options
> for large recursors. Any insight would be most appreciated.
>
> Right now to test with I have this:
>
>         rate-limit {
>                 responses-per-second 100;
>                 window 5;
>                 ipv4-prefix-length 32;
>                 log-only yes;
>         };

Generalizations or rules of thumb are likely to be inaccurate, as with
many abuse defenses.  But since you ask, I think:
   - Changing or even caring about "window" is probably a mistake.
       Almost everyone is mistaken about what "window" does, probably
       because of confusing documentation that is partly my fault
       and because of changes since the documenting.  "Window" only
       affects the duration of what you might call the "penalty box."
       A large stream of identical responses are is dropped for
       "window" seconds after it stops being large.

   - The right IP prefix for an ISP depends on the size of IP address block
       it gives its customers.  If customers get /32s, then that is
       the right prefix.  If customers get /24s, then a customer with
       one infected host seems likely to have more than one and so an
       IPv4 prefix of 24 sounds reasonable.

   - The right rate limit depends on what your users do with your recursive
       DNS servers.  If their DNS requests are for desktop systems or
       tablets, then a limit of a little below the number of identical
       host names in URLs in web pages sounds right.  But if their DNS
       requests are for SMTP servers (mail receivers) using a DNSBL
       and getting substantial bursts of spam, then you might want a
       rate limit of about their incoming SMTP rate.

       DNSBL users might want to set the optionally separate
       nxdomains-per-second limit higher, legitimate mail should
       generate a lot of DNSBL NXDOMAIN responses.

       100 requests/second is high even for an SMTP server, since it
       would imply 100 mail/second or 8 million mail/day.  The RRL
       limit is NOT a simple, firewall rate limit but a limit on
       identical responses.  100 total qps might not be too generous
       if RRL counted all DNS queries the same like a simple firewall
       rule, but in most cases 100/sec is wrong for RRL.  A single /32
       is unlikely to legitimately query "facebook.com A" even 10 times
       per second even if the total query rate for the (possibly NAT'ed)
       /32 is more than 100 qps.


I'd take all of that with a grain of salt and concentrate on what
"log-only" says would happen with various limits if you were not using
"log-only".


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list