-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2012 04:10 PM, Matthew Toseland wrote: > However, DoS protection should be a little stronger than has been > discussed: You should limit the average number of probes on a > given link per unit time, like we do with swapping. This should > probably be an average, and should be generous enough that it isn't > going to be violated by accident, but it's preferable to having a > limit on in-flight probes, as it will quench any flood more or less > at source, and the attacker will be limited by the number of > connections he has (at least on darknet, connections are > expensive).
The number of probes accepted per peer is limited with a counter which increments when a request is accepted, decrements 60 seconds later, and has a maximum (currently 10) above which no more requests are accepted from that peer. Is my understanding correct that this is an acceptable way to implement per-link limits? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJP4T/9AAoJECLJP19KqmFu0XUP/RE27kkNKT7tIZxQLZYoClOx WMmjNRjuBHx5VPglOiMQs5Bbaa7ZucM91zu0AWW6bJZkUSdX0Y7gXDInbwExR6Cs NxO5t3lkSz2fst6GjsdjVcWgaS2ZGe/RUwll8X9UEwspQeKkm0utRXaWb+3hIJx7 ydU4uQ5/P94znMW2MqwCCaKgcDAXUmY/QxrPdrNGGult/OuhyoDHlxuRgbuJGe6c tLTc+n84A5HLjieDN6vqCrGBU7I5poLIoQ7kuDjXTCPFxOEFJN0khXEF9m+c4COo Qm1l/9Vf+i5bzG1SkAnPQ410fKFG9OgjJUhgYbQX2avWv4xwKpbiTOCK7RW0OfKs gmQsVBl0s3kg3k0qkkvoFIZ22xtwjKdTh5bbmJVGMyr1fsRXbPAuW8fwjEH1nQpQ BWoQpCjAYDkKUr0vqr2o3pQGisDb9NPUBXMiHXZKyYeGJnYFZP84bpdNcrvCs3H+ s7josC7WVYBufRAvC5RkegERcLEz3hfH9YIwp6JLJbT6L0f4ZTvuUw0El2kW6RQU 0gFhbAVsNCm/aJ0S8YIyyknqllg0CpMh7OTC/rbG18NNxnJbD3zbilggoxXMx0td y/ncdusnwAxhP2a+K/bOqjFvmDkT4o9G/4Ror4WCm2uQz93Q/3MfTQlNbsXuCwt3 44rBLUfCklykwf/vYfNB =QUS9 -----END PGP SIGNATURE-----
