[ratelimits] Multiple buckets
Jay Daley
jay at nzrs.net.nz
Thu Oct 25 23:54:28 UTC 2012
Hi
When I've previously implemented rate limiting systems I've found that miscreants get to learn the limits and adjust accordingly. For example, if I wished to launch a reflection attack then I would not be bothered by a server running a rate limit of 10qps, I would just find 1000 such servers and use all of them at once. With the current RRL implementation I could happily run this attack for hours or even days.
I would recommend that the RRL implementation be extended to provide multiple, configurable token buckets. This would then enable me to configure a server as follows
bucket1 {
response-limit: 10
response-window: 1 (in seconds)
}
bucket2 {
response-limit 300
response-window: 60
}
bucket3 {
response-limit: 5000
response-window: 3600
}
Another benefit of a more general approach like this is that everybody does it differently, which makes it far harder for miscreants to predict cumulative behaviour and use cumulative behaviour to their advantage.
Jay
--
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley
More information about the ratelimits
mailing list