> From: Tony Finch
> To: Vernon Schryver
> cc: dns-operati...@mail.dns-oarc.net
> At the moment I'm just using BIND's sockaddr_hash routine, adapted to hash
> on the network prefix and to provide two variant hashes.
I think you would do better by treating the IP address as an integer
(includi
Vernon Schryver wrote:
>
> How many hash functions are you using, what are they, and how do you
> know that they are sufficiently independent to give a tolerable false
> positive rate without using as much RAM as a single classic hash table?
You can use a linear combination of two hash functions
> From: Tony Finch
> To: Vernon Schryver
> cc: dns-operati...@mail.dns-oarc.net
> The reason I'm basing my work on a Bloom filter is to avoid any per-client
> scaling costs. There's a fixed per-packet overhead, a fixed memory cost
> (which should be scaled with the server's overall load), and a
Vernon Schryver wrote:
>
> The second issue concerns log noise and the popular enthusiasm for
> using Bloom filters for DNS response rate limiting. I've heard more
> than one suggestion for using Bloom filters for DNS response rate
> limiting. Bloom filters are a great idea for some things but I
It seems to me that it might be pertinent to split this discussion
into clear threads. There are several different attack patterns being
discussed here, and it is my opinion that they have distinct and
different solutions, and may merit separated discussion, or at least
identification.
The < https
> From: Jim Reid
> My logs tended to have a few hundred entries at a time for the same
> (spoofed?) IP address. So as soon as I blackholed the last IP address
> in the log file, entries for another would be appended. At 4am and
> there's a caffeine deficit, this looks like a new client has
On 10 Jun 2012, at 22:59, Kyle Creyts wrote:
Someone mentioned that as soon as the spoofed client is blocked, that
a new spoofed client is used... This behavior seems... strange.
I did and I was wrong.
My logs tended to have a few hundred entries at a time for the same
(spoofed?) IP address
