[ratelimits] RRL vs other approaches
paul at redbarn.org
Sun Feb 24 06:00:41 UTC 2013
Roland Dobbins wrote:
> Vernon Schryver <vjs at rhyolite.com> wrote:
>> That you manage to "authenticate" some DNS requests from 10.2.3.4
>> using TCP, TSIG, or any other scheme IMPLIES NOTHING about other
>> UDP requests that claim to be from 10.2.3.4.
> That's true - but, you know, I've been using this mechanism to defeat some pretty serious spoofed DDoS attacks for the last 11 years or so, and it works pretty well, in practice. More granularity is welcome, but in a majority of cases, it's been Good Enough. ...
good enough for point solutions such as ddos-resistance as a service: yes.
good enough to be generally deployable by end system operators: no.
we're talking about different things.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ratelimits