[dns-operations] rate-limiting state

Patrick W. Gilmore patrick at ianai.net
Fri Feb 7 15:05:54 UTC 2014


On Feb 7, 2014, at 9:56, Tony Finch <dot at dotat.at> wrote:
> David C Lawrence <tale at akamai.com> wrote:
>> 
>> Maybe Patrick glossed over the mere "1000 qps", which for many (most?
>> hand-waving) operators doesn't even blip as an attack.  At the
>> attack-level traffic to which he is accustomed, the inbound requests
>> can easily surpass the server's ability to generate responses even if
>> it ends up not sending most of them.
> 
> At that point the name server itself is the victim, and there isn't
> anything it can do about the attack - DDoS mitigation has to happen well
> upstream of the victim.
> 
> I picked 1000pps because it is enough to trigger RRL without killing the
> server.

Yeah, I missed the 1K  number. Was thinking 10M which was discussed before.

I agree with David, 1K qps, while enough to trigger RRL, really wouldn't hurt anyone or anything else, so hardly worth talking about.

Sorry for my confusion and resulting noise on the list.

-- 
TTFN,
patrick




More information about the dns-operations mailing list