[dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool

Paul Vixie paul at redbarn.org
Sat Jun 23 23:19:35 UTC 2012


from the PNG graphic below you should be able to tell that this name
server (one of the "rove ip" or "dns changer" replacement dns servers;
the one responsible for what were once rove digital's chicago
properties) has been used for some kind of dns amplification attacks.
input is green, output is blue.

you should also be able to see that we installed the DNS RRL patches on
these servers at ~2300Z friday.

see <http://www.redbarn.org/dns/ratelimits> for the technical
specification, BIND administrator documentation, and BIND 9.8.latest and
9.9.latest patch files.

note that the server graphed below is an open recursive, and that we
don't really know how to rate limit these in a way that limits false
positives and false negatives, but we were desperate, so we used:

        rate-limit {
                responses-per-second 10;
                window 10;
        };

which is higher and deeper than what should be needed for an authority
DNS name server. (DNS RRL is only known-good for dns authority servers
-- so this example is an off-label use or "hail mary pass" which happens
to work out well.)

we're counting on the fact that nobody is running a home mail server or
web server using these recursive servers -- in other words we think
we're talking only to web browsers. opendns and googledns are likely way
smarter, and we're not (vernon schryver and myself) ready to certify the
current logic for recursive dns servers. you should put ACL's on your
recursive name servers to keep them from being used from off-network.
don't be an open recursive, in other words, unless you're as smart as
opendns and googledns about how to control abuse.

here are the graphs. i totally love this.

paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120623/e2b9c2b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bdddbaej.bmp
Type: image/bmp
Size: 637446 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120623/e2b9c2b1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: edhjjjga.bmp
Type: image/bmp
Size: 703302 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120623/e2b9c2b1/attachment-0001.bin>


More information about the dns-operations mailing list