[dns-operations] rate-limiting state

Tony Finch dot at dotat.at
Fri Feb 7 12:09:03 UTC 2014

Colm MacCárthaigh <colm at stdlib.net> wrote:
> I don't see anyone disputing my example, and I'm not calling out RRLs
> ability to dampen a reflection attack. I'm saying that RRL can be used to
> counter-attack your users.  Let's say a busy website gets 1,000 QPS of
> "real" user queries. If I want those queries to survive say with 2 retries,
> then I need to let through 40% of traffic to have a 95p confidence of them
> getting an answer. Yes, I'll have mitigated the reflection to 4Gbit/sec,
> but meanwhile users will be seeing increased resolution times and timeouts.

You seem to be assuming that RRL is a blanket rate limit. It is not.

If my busy name server is getting 1000 qps of real traffic from all over
the net, and 1000 qps of attack traffic "from" some victim, then RRL will
attenuate responses to the victim without affecting other users.

In the absence of RRL, the victim will be denied service by overwhelming
traffic. In the presence of RRL the victim might have slightly slower DNS

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list