[ratelimits] Double CPU usage with RRL

Kelsey Cummings kgc at corp.sonic.net
Tue Oct 15 21:47:17 UTC 2013

> The Open Resolver Project http://openresolverproject.org/
> seems to be currently reporting more than 28 million open recursive
> resolvers.  http://openresolverproject.org/breakdown.cgi
> There is no excuse for most of those 28M to be open, but I bet there
> are millions that are like the open recursive resolvers of Google,
> OpenDNS, and evidently Sonic.net that must be open for various good
> and compelling reasons.  They need protection.

Actually, the problem for an ISP doesn't have much to do with being an 
open recursive server.  We're about to plug that hole but it is going
to do little to prevent our servers from seeing the effects of the
amplification attacks.  The bulk of those open recursive resolvers are
probably residential gateways that are answering DNS requests on their 
WAN interfaces and happily forwarding them to the ISP's recursive servers.
We're trying to limit responses to requests sourced by our own customers!

If anyone from an ISP big enough to be experiencing this problem happens 
to see this, I'd love to know what you guys are doing to mitigate it.  I
assume blocking port 53 inbound to customers from all but known recursive
servers is the end game but we're not that interested in breaking new 

Kelsey Cummings - kgc at corp.sonic.net      sonic.net, inc.
System Architect                          2260 Apollo Way
707.522.1000                              Santa Rosa, CA 95407

More information about the ratelimits mailing list