[ratelimits] Multiple buckets
jay at nzrs.net.nz
Thu Oct 25 23:54:28 UTC 2012
When I've previously implemented rate limiting systems I've found that miscreants get to learn the limits and adjust accordingly. For example, if I wished to launch a reflection attack then I would not be bothered by a server running a rate limit of 10qps, I would just find 1000 such servers and use all of them at once. With the current RRL implementation I could happily run this attack for hours or even days.
I would recommend that the RRL implementation be extended to provide multiple, configurable token buckets. This would then enable me to configure a server as follows
response-window: 1 (in seconds)
Another benefit of a more general approach like this is that everybody does it differently, which makes it far harder for miscreants to predict cumulative behaviour and use cumulative behaviour to their advantage.
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
More information about the ratelimits