[dns-operations] DDoS botnet behaviour

Tony Finch dot at dotat.at
Mon Jun 11 14:42:36 UTC 2012

Vernon Schryver <vjs at rhyolite.com> wrote:
> How many hash functions are you using, what are they, and how do you
> know that they are sufficiently independent to give a tolerable false
> positive rate without using as much RAM as a single classic hash table?

You can use a linear combination of two hash functions to get an arbitrary
number of Bloom filter indexes - it's as good as the same number of
independent functions. http://www.eecs.harvard.edu/~kirsch/pubs/bbbf/esa06.pdf

At the moment I'm just using BIND's sockaddr_hash routine, adapted to hash
on the network prefix and to provide two variant hashes. It has the nice
property of being randomised when the server starts.

> What is your estimate for the memory required for a simple hash
> based scheme?

I haven't done the sums yet, sorry.

> Do you believe that single set of Bloom filter parameters can serve an
> interesting class of installations without using more RAM than a classic
> hash function?  To understate it--I don't.

Of course not :-) But I think it will be possible to set them
automatically based on overall query rate.

I only started work on this on Friday so it's early days :-)

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Shannon: Variable 3 at first in southeast, otherwise northerly 4 or 5,
occasionally 6 later. Moderate. Showers. Good.

More information about the dns-operations mailing list