coredns / rrl

Response Rate Limiting Plugin for CoreDNS
Apache License 2.0
23 stars 21 forks source link

rrl

Name

rrl - provides BIND-like Response Rate Limiting to help mitigate DNS amplification attacks. rrl also allows request rate limiting.

Description

The rrl plugin tracks response rates per category of response. The category of a given response consists of the following:

To better protect against attacks using invalid requests, requested name and type are not categorized separately for error type requests. In other words, all error responses are limited collectively per client, regardless of qname or qtype.

Each category has an account balance which is credited at a rate of the configured per-second allowance for that response type, and debited each time a response in that category would be sent to a client. When an account balance is negative, responses in the category are dropped until the balance goes non-negative. Account balances cannot be more positive than per-second allowance, and cannot be more negative than window per-second* allowance.

The response rate limiting implementation intends to replicate the behavior of BIND 9's response rate limiting feature.

When limiting requests, the category of each request is determined by the prefix of the client IP (per the ipv4/6-prefix-length).

Syntax

rrl [ZONES...] {
    window SECONDS
    ipv4-prefix-length LENGTH
    ipv6-prefix-length LENGTH
    responses-per-second ALLOWANCE
    nodata-per-second ALLOWANCE
    nxdomains-per-second ALLOWANCE
    referrals-per-second ALLOWANCE
    errors-per-second ALLOWANCE
    slip-ratio N
    requests-per-second ALLOWANCE
    max-table-size SIZE
    report-only
}

Mitigate Wildcard Flooding with the metadata Plugin

An attacker can evade rrl rate limits when launching a reflection attack if they know of the existence of a wildcard record. In a nutshell, the attacker can spread the reflection attack across an unlimited number of unique query names synthesized by a wildcard keeping the rate of responses for each individual name under limits. To protect against this, enable the metadata plugin. When the metadata plugin is enabled, rrl will account for all responses synthesized by known wildcards under the parent domain of the wildcard. e.g. Both a.example.org. and a.example.org. would be accounted for as example.org., if they are synthesized from the wildcard record *.example.org. This approach follows BIND9's solution to the same problem.

Important:

Metrics

If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:

External Plugin

RRL is an external plugin, which means it is not included in CoreDNS releases. To use rrl, you'll need to build a CoreDNS image with rrl included (near the top of the plugin list). In a nutshell you'll need to:

Examples

Example 1


. {
  rrl . {
    responses-per-second 10
  }
}

Known Issues

rrl is vulnerable to wildcard flooding. See the section above for mitigating this vulnerability: Mitigate Wildcard Flooding with the metadata Plugin

Additional References

A Quick Introduction to Response Rate Limiting

This Plugin's Design Spec