[dns-operations] rate-limiting state

Vernon Schryver vjs at rhyolite.com
Fri Feb 7 00:58:14 UTC 2014

> From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <colm at stdlib.net>

> I chose a fairly typical number, which is actually below average. Arbor's
> data on DDOS puts 10M somewhere between the 40th and 50th percentile.  I'd
> be really surprised if OpenDNS's pipes fill up with that kind of small
> volume.

That seems to assume that the infamous Gbit/sec DNS reflection attacks
involve one or at most a handful of mirrors.  That assumption is wrong.

> > so, third, let's look squarely at "large enough UDP flow to activate RRL".
> 10M requests/sec for www.example.com, type=A. Would that be large enough?

10 Mqps is about 1,000,000 times higher than necessary to trigger DNS
RRL.  I think 5 or 10 qps is an appropriate DNS response rate limit
(although many operators like 50 or even 100).  5, 10, or even 500 qps
is a bad limit if your DNS rate limiting is naive firewall counting
that pays attention only to source addresses. 

>                           but I don't think that the numbers work out. If
> you're getting an attack of 10M PPS, which is very realistic, you'll end up
> denying service to real users.

In most cases (i.e. not OpenDNS, Google, Comcast, etc.), if you're
getting 10 Mqps, then your DNS server is denying service to real
users regardless of any response rate limiting, because 10M DNS
queries/second is perhaps 4 Gbit/sec as well as a healthy CPU load.
What is the queryperf number of your DNS system over localhost?
(queryperf is a common tool for measuring how many queries your DNS
system can answer.)

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list