> From: Mohamed Lrhazi <[email protected]>
> ...
> Also, one could say that by enabling RRL, we are adding a weaknesses
> to the system:
> - Attack using large number of unique queries and unique source IPs,
> aiming at exhausting our RAM...
>
> Is that a valid criticism? Does BIND RRL mitigate that? Should one add
> logic to disable the whole RRL after reaching some QPS threshold?
I think that code must handle error conditions that can be anticipated
and handled. The BIND RRL patch tries to handle state table size
problems by:
- having minimum size to reduce cold-start issues,
- having maximum size to avoid crashing under very high load,
- always reusing the least recently used state table entry even when
the window for that entry has not expired.
I suspect discussions like this should be on the DNS Response Rate
Limits mailing list and not here. If so, please see
http://lists.redbarn.org/mailman/listinfo/ratelimits
Vernon Schryver [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
