[ratelimits] CH/TXT/id.server queries rate-limited
Jay Daley
jay at nzrs.net.nz
Fri Oct 26 21:13:32 UTC 2012
On 27/10/2012, at 9:55 AM, Jay Daley <jay at nzrs.net.nz> wrote:
>> On the contrary, that would increase the number of records by a factor
>> of 5 (1 second vesus 5 seconds). Unlike rate limiting IP packets
>> and HTTP client IP addresses, at timescales shorter than DNS TTLs,
>> DNS (IP,qname,qtype) streams are almost all single, unique respons/requests.
>> They are not streams. A DNS response rate limiter needs about as many
>> buckets as window*qps. In my code, practically all buckets are discarded
>> or recycled after 1 second. Your code would need to keep all buckets
>> for 5 seconds before discard almost all of them with final counts of 1.
>
> Ah, understood.
Sorry I got confused. I was not suggesting an independent second bucket, which would require the fivefold (or whatever window size is) increase but a second limit that is imposed when a rate limit has kicked in and the window penalty is now being imposed. Again, the only intention would be to limit sustained attacks.
Jay
--
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley
More information about the ratelimits
mailing list