IN TXT & NULL trash records
Paul Vixie
paul at redbarn.org
Wed Nov 28 18:08:04 UTC 2018
Maciej Gawron via Unbound-users wrote:
> Hi,
> I think global IP-ratelimit will fit nicely.
i disagree, since the source ip addresses are nonrepudiable. a
non-protocol-aware rate limiter is an easy ddos vector since an attacker
can use up all available credits for some victim simply by forging that
victim's ip address on an otherwise normal looking flow.
see: https://www.icann.org/en/system/files/files/sac-004-en.pdf
also: https://queue.acm.org/detail.cfm?id=2578510
transaction or session limits will be nec'y; packet limits are wrong
where udp is concerned.
--
P Vixie
More information about the Unbound-users
mailing list