[ratelimits] Fragments of ARM Chapter 6 clarification

Paul Vixie paul at redbarn.org
Tue Feb 12 18:08:59 UTC 2013


nudge wrote:
> ...
> I'd gotten the impression that you were against basic firewall
> rate-limiting in front of DNS servers for some reason.

i'm opposed to treating that as a solution to the problem rrl solves,
but i'm not otherwise or fundamentally opposed to doing it.

> So if a DNS server is considered capable of handling X qps it's useful
> to firewall rate limit qps to X as protection from overload when it's
> directly attacked. This higher limit doesn't affect RRL during
> reflection or amplification attacks on others, the two being completely
> different issues and rates. In some cases basic firewall rate limiting
> may also be usefully applied to limit qps from an IP address block
> without DNS response awareness and without affecting RRL functionality.
> How am I doing ?

that's the stuff.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130212/bf6ee618/attachment.htm>

More information about the ratelimits mailing list