Knowledge Base ISC Main Website Ask a Question/Contact ISC
A Quick Introduction to Response Rate Limiting
Author: ISC Support Reference Number: AA-01000 Views: 15797 Created: 2013-06-12 18:56 Last Updated: 2014-04-09 23:44 0 Rating/ Voters

What is RRL?

RRL, or Response Rate Limiting, is an enhancement to implementations of the DNS protocol that can help mitigate DNS amplification attacks (see KB article AA-00897). In such an attack, the attacker sends high volumes of forged DNS queries to a large number of authoritative DNS servers, using the victim computer's IP address as the source of the request. The victim computer sees huge numbers of replies to questions that it did not ask. The authoritative servers have no way of knowing whether any particular DNS query is real or malicious, but can detect patterns and clusters of queries when they are abused at high volumes. If a goodly number of authoritative servers can all be tricked into sending high-volume replies to the same victim computer, it is quite likely to collapse from overload.

RRL helps mitigate DNS denial-of-service attacks by reducing the rate at which authoritative servers respond to high volumes of malicious queries. The RRL mechanism is part of BIND 9.10, and was available as a software build option in BIND 9.9.4. 

The Problem

Any internet protocol based on UDP is suitable for use in a denial-of-service attack, but DNS is especially well suited for such malevolence. There are three reasons:

  1. The User Datagram Protocol, or UDP, which is the norm for DNS traffic, was not designed with source validation in mind.  DNS server software such as BIND cannot tell by examining a particular packet whether the source address in that packet is real or fraudulent.  An attacker can therefore send DNS queries forged to look like they came from the intended victim, causing the DNS server to send the replies to that victim.  This is a "reflected attack".
  2. Most ISPs do not check for forged source addresses in outbound packets.  This allows forged-address reflection attacks to be launched from almost anywhere. 
  3. Small DNS queries can generate large responses, allowing the attacker to send a lot less traffic than the victim receives, thereby amplifying the attack.  For example, an EDNS query for the name isc.org of type ANY is 36 bytes long (not counting the wire headers) and triggers a response that is 3,576 bytes long.  By using an authoritative DNS server as an unwitting accomplice, an attacker can achieve a nearly 100-fold increase in the amount of traffic that being directed at the victim and they can conceal the source of the attack as well.

A Solution

If one packet with a forged source address arrives at a DNS server, there is no way for the server to tell it is forged. If hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, there is a very high probability of those packets, as a group, being part of an attack. The RRL software has two parts. It detects patterns in arriving queries, and when it finds a pattern that suggests abuse, it can reduce the rate at which the replies are sent. 

The Results

Operators of large authoritative servers have reported huge reductions in network traffic and server load after enabling RRL.  Additionally, these servers are no longer seen as participating in abusive network behavior as fewer illegitimate responses are reaching their intended targets.  The impact on legitimate traffic has been minimal.

For more information

KB article AA-00994 outlines how to use the RRL feature in BIND 9.10. As with all BIND features, the complete documentation is in the BIND Administrators' Reference Manual, the ARM.  PDF and HTML versions of that manual are part of every release of BIND

© 2001-2014 Internet Systems Consortium

Feedback 17
  • #
    [JEM]: unknown option 'rate-limit', though compiled in 2014-01-29 20:50

    named is built with --enabe-rrl, but still get the error:

    unknown option 'rate-limit'.

    have checked and rechecked configuration as well and have gone with the simplest until can get it working:

    rate-limit { responses-per-second 5; log-only yes; };

    Any suggestions? This is on a centos5 server.

    --Joyce M

  • #
    [Cathy Almond]: Re: unknown option 'rate-limit', though compiled in 2014-01-30 10:52

    Either the version of named that you're running isn't the one that you most recently built (did it install into the directory you expected it to?), or there was a problem with the ./configure step (you can do a 'make clean' before doing ./configure to make sure that there's no possibility of inheriting an older set of configure options).

    You can check the ./configure options that were used to build the version of named that you're running by using the -V option. For example:

    $ /usr/local/sbin/named -V

  • #
    [ Peto]: Adding RRL conf suspend bind 2014-01-17 13:10

    Hi,
    I install bind:
    ns2:/var/named/etc# named -v
    BIND 9.9.4-P2 (Extended Support Version)
    with RRL option. After adding rate-limits to config, bind dont work. If I remove, work. Why?

    Thanks

  • #
    [Cathy Almond]: Re: Adding RRL conf suspend bind 2014-01-28 12:58

    Please build BIND with --enable-rrl if you wish to use this functionality.

  • #
    [ praveen]: BIND RRL configuration 2013-12-19 07:05

    I could compile bind-9.9.4 on centos 6.3 64 bit.
    Its working with rate-limit. Go by the Readme
    ./configure --enable -rrl

  • #
    [ CatalinL]: Defaults values 2013-10-08 12:26

    After compling 9.9.4 with rate-limit, i noticed entries in rate-limit log file without configuring any rate-limit option in named.conf
    So the question is what are the defaults values for rate-limit after compiling ?

  • #
    [Brian Conry]: Re: Defaults values 2013-10-17 16:10

    While we usually say that rate limiting is not enabled by default, there is one exception to this: the built-in _bind CHAOS class view used for answering version.bind, authors.bind, and other related queries. Does this cover the RRL logging you saw?

    The rate-limit clause on that view looks like:

    rate-limit {
    responses-per-second 3;
    slip 0;
    min-table-size 10;
    };

  • #
    [ speednic]: RRL rate-limit don´t work 2013-09-29 00:18

    I have seen that BIND 9.9.4 is available now, I have installed it but the same problem - unknown option rate-limit

    Sep 29 00:09:52 cluster02 named[7038]: starting BIND 9.9.4 -c /etc/bind/named.conf
    Sep 29 00:09:52 cluster02 named[7038]: built with defaults

    are there some hints to activate RRL ?

    thx alex

  • #
    [Cathy Almond]: Re: RRL rate-limit don´t work 2013-10-01 12:20

    Apologies, although the option to enable RRL was included in the README file in the tarball, this step was not clearly explained as necessary in this article. We've updated this article and added a new FAQ to explain this. Please build BIND with --enable-rrl if you wish to use this functionality.

  • #
    [ Martin]: 9.9.4 - unknown option 'rate-limit' 2013-09-20 16:45

    # named -v
    BIND 9.9.4 (Extended Support Version)
    in options section:
    rate-limit {
    responses-per-second 5;
    log-only yes;
    };
    The result after service named restart:
    Error in named configuration:
    /etc/named.conf:47: unknown option 'rate-limit'

  • #
    [Cathy Almond]: Re: 9.9.4 - unknown option 'rate-limit' 2013-10-01 12:33

    Please build BIND with --enable-rrl if you wish to use this functionality.

  • #
    [ alan]: enabling rrl 2013-09-20 00:42

    A look at configure --help indicates that the solution is --enable-rrl. This also doesn't show up in the config status that's supposed to show what options are available and what are configured (it seems to be very short on those actually).

  • #
    [Cathy Almond]: Re: enabling rrl 2013-10-01 16:44

    Thanks for commenting on this - I've added the specific request that we show whether or not rrl is enabled to an existing ticket (RT #34796) for improving the information provided in the configuration summary.

    For future reference, please see https://www.isc.org/downloads/bind/ for information on where to report bugs and request new features.

  • #
    [ Alan]: rate-limit invalid 2013-09-20 00:39

    I also just installed the release 9.9.4 and got the unknown option error

  • #
    [Cathy Almond]: Re: rate-limit invalid 2013-10-01 12:27

    Please build BIND with --enable-rrl if you wish to use this functionality.

  • #
    [Renato]: BIND RRL configuration 2013-08-02 13:51

    I configured the "rate-limit" on my server 9.9.3-P2 and got the following error:
    "config: error: /etc/named.conf: 52: unknown option 'rate-limit'"
    I have found no reference on the RRL "9.9 BIND Administrator Reference Manual"

  • #
    [Cathy Almond]: Re: BIND RRL configuration 2013-10-01 12:23

    Apologies - we published this article too hastily, omitting the information that Response Rate Limiting is only available in BIND 9 from version 9.9.4 onwards. We've updated the article to explain this, as well as providing links to the unsupported open source patches that can be used until BIND 9.9.4 is available. (Subscription versions of BIND 9.9.3 already have RRL built-in.)

Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu