Better ratelimiting? (again)

Maciej Gawron gaweron at
Wed Jan 16 13:06:43 UTC 2019


> 1) Mimic what's common in the "networking world", allowing to configure a (higher) burst limit, could be a way of allowing bursty clients to finish all lookups without getting slowed down by dropped queries.
> I like this idea:)
I observe lot of clients, that send a lot of queries in first second of
data transmission.
Perfect solution (for me;) would be : If IP send more than X queries in Y
seconds, deny all queries from this IP for Z seconds

example of my usecase:
second 1: Regular Client: 80qps
second 2: Regular Client: 10qps
second 3: Regular Client: 5qps
second 4: Regular Client: 4qps
second 5: Regular Client: 3qps

second 1: Malicious Client: 50qps
second 2: Malicious Client: 50qps
second 3: Malicious Client: 50qps
second 4: Malicious Client: 50qps
second 5: Malicious Client: 50qps

ip-ratelimit 40 might be perfect for malicious client, but it impacts
regular client experience.

Even measuring number of queries for two seconds ( instead of 1 ) would
make huge improvement.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list