[ratelimits] Multiple buckets

Jay Daley jay at nzrs.net.nz
Thu Oct 25 23:54:28 UTC 2012


When I've previously implemented rate limiting systems I've found that miscreants get to learn the limits and adjust accordingly.  For example, if I wished to launch a reflection attack then I would not be bothered by a server running a rate limit of 10qps, I would just find 1000 such servers and use all of them at once.  With the current RRL implementation I could happily run this attack for hours or even days.

I would recommend that the RRL implementation be extended to provide multiple, configurable token buckets.  This would then enable me to configure a server as follows

bucket1 {
  response-limit: 10
  response-window: 1  (in seconds)

bucket2 {
  response-limit 300
  response-window: 60

bucket3 {
 response-limit: 5000
  response-window: 3600

Another benefit of a more general approach like this is that everybody does it differently, which makes it far harder for miscreants to predict cumulative behaviour and use cumulative behaviour to their advantage.


Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley

More information about the ratelimits mailing list