[dns-operations] ok, DNS RRL (rate limits) are officially, seriously, cool

Paul Vixie paul at redbarn.org
Mon Jun 25 14:27:37 UTC 2012


On 2012-06-25 7:40 AM, Klaus Darilion wrote:
>
> On 24.06.2012 01:19, Paul Vixie wrote:
>>
>>
>>
> Nice. But I wonder why there is a drop-down of outgoing packets during
> an amplification attack. I would expect that outgoing traffic is
> constant. Maybe, in this case also legitimate queries are blocked
> (false positive).

it's hard to see on this graph, but on these servers, the output rate
for valid queries always suffers during an input spike. i don't see the
same depression on authority servers i run elsewhere. i believe that
what's happening is that the recursive servers can't hear their
cache-miss responses which are lost in the storm due to upstream path
congestion. vernon and i are researching this.

i would very much welcome similar graphs from other people using DNS RRL
in production (or who can test at those input volumes.)

also: if you are an operator feeling these attacks and you're able to
invest time and energy into helping to track them back, there's a
private ops-t work party ("madmax") that i'd like to invite you into.
let me know.

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120625/1c3150d4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/bmp
Size: 637446 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120625/1c3150d4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/bmp
Size: 703302 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120625/1c3150d4/attachment-0001.bin>


More information about the dns-operations mailing list