26–27 Oct 2024
Clarion Congress Hotel Prague
Europe/Prague timezone

DoS protection using multi-prefix query counting

27 Oct 2024, 10:15
25m
Tycho/Kepler Rooms (Clarion Congress Hotel Prague)

Tycho/Kepler Rooms

Clarion Congress Hotel Prague

Freyova 33 Praha 9 ⁠-⁠ Vysočany 190 00 Česká republika
In-Person Standard Presentation Main Session Session 1

Speaker

Lukáš Ondráček (CZ.NIC, z.s.p.o.)

Description

We present our approach to protecting against denial-of-service attacks, implemented in Knot Resolver. It consists of two parts: rate-limiting and prioritization.

Rate-limiting counts requests originating from the same host and/or network and restricts those that are over the set limits; it serves primarily to mitigate amplification attacks.
Prioritization reorders waiting requests based on the cpu consumption of the past requests from the same origin so that the requests from the more demanding clients will be deferred and possibly dropped in case of overloading.

We will first focus on the basic limiting of individual hosts to show how the counters of the same-origin queries work, incl. their exponential decay and how to set the desired limits -- so called instant limit and rate limit parameters are used to control the behaviour. Then, we will extend it to the whole networks by using the same approach for multiple address prefixes to handle even partially distributed attacks and mention different methods of restriction based on the counters' value. Finally, we will move on to query prioritization.

The presentation will roughly follow this article:
https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-operators-overview/

Talk duration 20 Minutes (+5 for Q&A)

Primary author

Lukáš Ondráček (CZ.NIC, z.s.p.o.)

Presentation materials