What is RRL?
RRL, or Response Rate Limiting, is an enhancement to the DNS protocol which serves as a tool for mitigating DNS amplification attacks.
At this time, RRL implementation is only recommended for authoritative servers.
DNS is easily used for reflected denial-of-service (DOS) attacks, with three factors combining to make it a popular choice.
- UDP, which is commonly used for DNS traffic, was not designed with source validation in mind. Consequently BIND responds to packets with a forged source the same as it does to legitimate packets. An attacker can therefore send DNS queries forging an IP address of the victim as the source address, causing the DNS server to send the replies to the victim. This is a "reflected attack".
- Most ISPs do not check the source address of packets that they send to ensure that the source address matches a network block managed by that ISP. This allows forged-address attacks to be launched from a large portion of the Internet.
- Small DNS queries can generate large responses, allowing the attacker to send a lot less traffic than the victim receives, amplifying the attack. For example, an EDNS0 query for isc.org of type ANY is 36 bytes long (not counting the UDP, IP, and Ethernet headers) and triggers a response that is 3,576 bytes log (not counting UDP, IP, and Ethernet headers.) By reflecting, an attacker can cause a nearly 100x increase in the amount of traffic that they are directing at the victim and they can conceal the source of the attack as well.
While we cannot know which source addresses are forged and which are not, we can look at the pattern of requests and responses and infer with a high degree of confidence when there is an attack. We can then use this information to throttle responses, cutting off the attack. Incoming queries are NOT throttled by RRL.
Operators of large authoritative servers have reported huge
reductions in network traffic and server load after enabling RRL.
Additionally, these servers are no longer seen as participating in
abusive network behavior as fewer illegitimate responses are reaching
their intended targets. The impact on legitimate traffic has been minimal.
Sample BIND RRL configuration
To enable RRL, a rate-limit clause must be added to an options or view statement within named.conf.
As a very simple example scenario, let's say your authoritative server
for example.com is being flooded with queries for the address record of
testhost.example.com with the DO (DNSSEC
OK) bit set. example.com is DNSSEC-signed so our reply packet size
will be somewhat large. In the query log, you are seeing something like
07-Jun-2013 12:27:34.102 queries: info: client 126.96.36.199#58540 (testhost.example.com): query: testhost.example.com IN A +ED (188.8.131.52)
07-Jun-2013 12:27:41.606 queries: info: client 184.108.40.206#55979 (testhost.example.com): query: testhost.example.com IN A +ED (220.127.116.11)
07-Jun-2013 12:27:59.196 queries: info: client 18.104.22.168#47516 (testhost.example.com): query: testhost.example.com IN A +ED (22.214.171.124)
queries are appearing to originate from 126.96.36.199 but given the frequency of the repeated query, it would be reasonable to suspect that these queries are spoofed and 188.8.131.52 is the target of a DDOS attack.
this is your first use of RRL, perhaps you would like to test its behavior before
actually limiting responses -- you can see what RRL would do before actually having it limit responses. You can do this by setting "log-only yes" during configuration. Edit named.conf and add the following rate-limit clause in your global options:
After a configuration reload, you will now see messages such as the following in your logs:
07-Jun-2013 12:41:42.336 queries: info: client 184.108.40.206#53459 (testhost.example.com): query: testhost.example.com IN A +ED (220.127.116.11)
07-Jun-2013 12:41:42.336 query-errors: info: client 18.104.22.168#53459 (testhost.example.com): would rate limit slip response to 22.214.171.124/24 for testhost.example.com IN A (3ee9836b)
When you feel comfortable with what RRL will actually be limiting, remove the
"log-only yes" and after a reload, you will begin to see:
07-Jun-2013 12:44:44.868 queries: info: client 126.96.36.199#57114 (testhost.example.com): query: testhost.example.com IN A +ED (188.8.131.52)
07-Jun-2013 12:44:44.869 query-errors: info: client 184.108.40.206#57114 (testhost.example.com): rate limit drop response to 220.127.116.11/24 for testhost.example.com IN A (3ee9836b)
RRL is highly configurable
to combat many attack scenarios. We recommend reading the Response Rate Limiting section
of the BIND9 Adminstrator Reference Manual (ARM) for an in-depth review of the RRL configuration options.
© 2001-2014 Internet Systems Consortium