[ratelimits] new RRL patch
Feng He
fenghe at nsbeta.info
Sun Jan 6 06:23:11 UTC 2013
from: http://ss.vix.su/~vixie/isc-tn-2012-1.txt
2.2.4. WINDOW (15). Rate limiting uses a "credit" or "token bucket"
scheme. Each identical response has a conceptual account that is given
RESPONSES-PER- SECOND and ERRORS-PER-SECOND credits every second. A DNS
request triggering some desired response debits the account by one.
Responses are not sent while the account is negative. The account cannot
become more positive than the per-second limit or more negative than
window times the per-second limit. A DNS client that sends requests that
are not answered can therefore penalized for up to window seconds even
after the abusive query flow stops.
--------------------------------------
Paul, this is hard to understand for due to my poor english.
Can you describe it more clearly, or with an example?
Thanks.
于 2013-1-6 11:39, Paul Vixie 写道:
>
>
> Feng He wrote:
>> I could open a ssh account for you and you could login directly to the
>> nameserver host to watch the result, is it right?
>
> i think that i would not enjoy such great responsibility for keeping
> your system safe.
>
> perhaps you would be willing to share your named.conf file here, and
> explain the change in behaviour you saw when you first began to use RRL?
>
More information about the ratelimits
mailing list