> > to that end, vernon schryver and i have been exploring rate
> limiting in
> > BIND 9. there's a patch available, which i've so far offered only to
> > anyone whose server is currently getting abused. what i'm
great.
> > config {
> > // ...
> > rate-limit {
> > responses-per-second 5;
> > window 5;
> > };
> > };
>
> I'm afraid we may need more control. If my clients are
> generating a DDoS
> attack at 20 responses per second, and I limit this to 5 per second -
> the C&C can get the same effect by mobilizing four times as
> many clients
> to do the job. On my wishlist, in addition to rate limiting, is also:
>
> - Some way of dynamically blackholing clients, based on one or more of
> -- Rate limit exceeded
> -- Asking the *same* question (with a large response) repeatedly
> -- Asking a *specific* question (e.g. ANY isc.org|ripe.net)
> -- Input from an external system, e.g. via rndc
What about rate limiting clients which are not keeping the TTL value?
We are talking about rate limiting on authoritative name servers, right?
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
