[dns-operations] DDoS botnet behaviour

Tony Finch dot at dotat.at
Mon Jun 11 12:44:52 UTC 2012

Vernon Schryver <vjs at rhyolite.com> wrote:
> The second issue concerns log noise and the popular enthusiasm for
> using Bloom filters for DNS response rate limiting.  I've heard more
> than one suggestion for using Bloom filters for DNS response rate
> limiting.  Bloom filters are a great idea for some things but I think
> they a problem instead of a solution here.

They might turn out to be part of a solution.

The reason I'm basing my work on a Bloom filter is to avoid any per-client
scaling costs. There's a fixed per-packet overhead, a fixed memory cost
(which should be scaled with the server's overall load), and a fairly
cheap periodic cleaning task. No dynamic memory allocation.

Your operational criticisms of the probabilistic approach are quite
correct. It may also turn out to cost too much to get an acceptably low
false positive rate.

But, it might be worth putting a smallish Bloom filter in front of an
accurate traffic accounting system, so that the server only needs to spend
resources tracking the heaviest users, along the lines described in

Thanks for your informative messages!

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Biscay, FitzRoy: Cyclonic 4 or 5 at first in north, otherwise westerly or
northwesterly 6 or 7, decreasing 4 or 5. Moderate or rough. Thundery showers.
Moderate or good.

More information about the dns-operations mailing list