[ratelimits] Multiple buckets

Jay Daley jay at nzrs.net.nz
Thu Oct 25 23:54:28 UTC 2012


Hi

When I've previously implemented rate limiting systems I've found that miscreants get to learn the limits and adjust accordingly.  For example, if I wished to launch a reflection attack then I would not be bothered by a server running a rate limit of 10qps, I would just find 1000 such servers and use all of them at once.  With the current RRL implementation I could happily run this attack for hours or even days.

I would recommend that the RRL implementation be extended to provide multiple, configurable token buckets.  This would then enable me to configure a server as follows

bucket1 {
  response-limit: 10
  response-window: 1  (in seconds)
}

bucket2 {
  response-limit 300
  response-window: 60
}

bucket3 {
 response-limit: 5000
  response-window: 3600
}


Another benefit of a more general approach like this is that everybody does it differently, which makes it far harder for miscreants to predict cumulative behaviour and use cumulative behaviour to their advantage.

Jay

-- 
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley



More information about the ratelimits mailing list