Maintained by: NLnet Labs

[Unbound-users] a mitigation against random subdomain attack

Daisuke HIGASHI
Tue Mar 24 13:55:10 CET 2015


Hi Maciej,

> This is interesting; can you help me understand where does the 9.6 bits come
> from?

See mathematics in http://en.wikipedia.org/wiki/Bloom_filter .

In current code, k is set to 7, optimizing memory size at
approximately 1% false positive. Under this params you need
only 9.6bits memory per element (unique noerror qnames).

If you think 1% is too high, set k to 10 for 0.1% false positive rate
and you will need 14.5bits per element.

k is set at second arg in daemon.c:bf_create(). Sorry for ugly magic number.

> Also, what would a false positive here be?
> A random query that was allowed or a legitimate query that was refused?

A false positive is "a random query that was allowed".

Bloomfilter never refuse known qnames. However obviously legitimate
but very rare qnames (names which no client queried in past)
would be refused.

Regards,
--
 Daisuke HIGASHI