[ratelimits] Fragments of ARM Chapter 6 clarification
paul at redbarn.org
Tue Feb 12 18:08:59 UTC 2013
> I'd gotten the impression that you were against basic firewall
> rate-limiting in front of DNS servers for some reason.
i'm opposed to treating that as a solution to the problem rrl solves,
but i'm not otherwise or fundamentally opposed to doing it.
> So if a DNS server is considered capable of handling X qps it's useful
> to firewall rate limit qps to X as protection from overload when it's
> directly attacked. This higher limit doesn't affect RRL during
> reflection or amplification attacks on others, the two being completely
> different issues and rates. In some cases basic firewall rate limiting
> may also be usefully applied to limit qps from an IP address block
> without DNS response awareness and without affecting RRL functionality.
> How am I doing ?
that's the stuff.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ratelimits