lost and found ( for me ? )

lost and found ( for me ? )

↑ Grab this Headline Animator

BIND : Response Rate Limiting ( RRL )

about RRL
http://www.redbarn.org/dns/ratelimits

RRL function could mitigate DDoS attacks such DNS amplification attack.

[ install ]

When using RRL , you need to apply the RRL patch.

download BIND9.9.2 source and download the patch for BIND 9.9.2

# ls *9.9.2*
bind-9.9.2.tar.gz  rl-9.9.2.patch

# head -3 rl-9.9.2.patch
diff -r -u bin/named/client.c-orig bin/named/client.c
--- bin/named/client.c-orig     2004-01-01 00:00:00.000000000 +0000
+++ bin/named/client.c  2004-01-01 00:00:00.000000000 +0000


I stored the files like this :
BIND_works/bind-9.9.2 <- bind source
BIND_works/rl-9.9.2.patch <- patch file

# tar xzvf bind-9.9.2.tar.gz
# cd bind-9.9.2

# patch -p0 -l < ../rl-9.9.2.patch
patching file bin/named/client.c
patching file bin/named/config.c
patching file bin/named/include/named/query.h
patching file bin/named/include/named/server.h
patching file bin/named/query.c
patching file bin/named/server.c
patching file bin/named/statschannel.c
patching file bin/tests/system/README
patching file bin/tests/system/conf.sh.in
patching file bin/tests/system/rrl/clean.sh
patching file bin/tests/system/rrl/ns1/named.conf
patching file bin/tests/system/rrl/ns1/root.db
patching file bin/tests/system/rrl/ns2/hints
patching file bin/tests/system/rrl/ns2/named.conf
patching file bin/tests/system/rrl/ns2/tld2.db
patching file bin/tests/system/rrl/ns3/hints
patching file bin/tests/system/rrl/ns3/named.conf
patching file bin/tests/system/rrl/ns3/tld3.db
patching file bin/tests/system/rrl/setup.sh
patching file bin/tests/system/rrl/tests.sh
patching file doc/arm/Bv9ARM-book.xml
patching file lib/dns/Makefile.in
patching file lib/dns/include/dns/log.h
patching file lib/dns/include/dns/rrl.h
patching file lib/dns/include/dns/view.h
patching file lib/dns/log.c
patching file lib/dns/rrl.c
patching file lib/dns/view.c
patching file lib/isccfg/namedconf.c
patching file version

# ./configure --sysconfdir=/etc --enable-threads
# make
# make install

# /usr/local/sbin/named -V
BIND 9.9.2-vjs287.12 built with '--sysconfdir=/etc' '--enable-threads'
using OpenSSL version: OpenSSL 1.0.0 29 Mar 2010


[ example usage ]

about rate-limit options
http://www.rhyolite.com/temp/rl-arm.html

named.conf
add rate-limit options within options statement.
options {
<snip>
       rate-limit {
               responses-per-second 25;
               window 5;
       };

};


run named
# /usr/local/sbin/named -n 1 -c /etc/named.conf


build queryperf which is DNS stressing tool
# cd bind-9.9.2/contrib/queryperf/
# sh configure;make


prepare query list.
# head -3 query_list.txt
www.google.com a
www.google.com a
www.google.com a

# wc -l query_list.txt
186 query_list.txt


run queryperf
# ./queryperf -s 127.0.0.1 -d query_list.txt

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 127.0.0.1)
[Timeout] Query timed out: msg id 5
[Timeout] Query timed out: msg id 6
[Timeout] Query timed out: msg id 7


BIND dropped queries due to rate-limit functions.
# tail -f /var/log/messages
Nov 17 15:06:42 centos6 named[21477]: clients-per-query increased to 15
Nov 17 15:06:42 centos6 named[21477]: limit responses to 127.0.0.0/24 for www.google.com IN A  (009a525d)


rndc stats
[View: _bind]
++ Name Server Statistics ++
             189337 IPv4 requests received
             123808 responses sent
              65419 truncated responses sent
              58389 queries resulted in successful answer
             123808 queries resulted in non authoritative answer
              65419 queries resulted in nxrrset
                120 queries caused recursion
              65529 queries dropped
              65419 responses dropped for rate limits
              65419 responses truncated for rate limits



only outputs logs , not drop queries
       rate-limit {
             responses-per-second 25;
               window 5;
               log-only yes;
       };


syslog
Nov 17 15:30:44 centos6 named[21547]: would stop limiting responses to 127.0.0.0/24 for www.google.com IN A  (009a525d)
Nov 17 15:30:44 centos6 named[21547]: would limit responses to 127.0.0.0/24 for www.google.com IN A  (009a525d)


no queries drop occurred
./queryperf -s 127.0.0.1 -d query_list.txt

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 127.0.0.1)
[Status] Testing complete

Statistics:

 Parse input file:     once
 Ended due to:         reaching end of file

 Queries sent:         9886 queries
 Queries completed:    9886 queries
 Queries lost:         0 queries
 Queries delayed(?):   0 queries

 RTT max:              0.001459 sec
 RTT min:              0.000284 sec
 RTT average:          0.001276 sec
 RTT std deviation:    0.000038 sec
 RTT out of range:     0 queries

 Percentage completed: 100.00%
 Percentage lost:        0.00%

 Started at:           Mon Nov 17 15:30:44 2012
 Finished at:          Mon Nov 17 15:30:45 2012
 Ran for:              0.636092 seconds

 Queries per second:   15541.776976 qps
Labels: , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)