> - Rate limit clients to 100 qps. Drop for 5 mins if exceeded. > - Rate limit client to 5 identical queries per second. Drop for 5 mins > if exceeded.
> Any logical errors, or other errors, you see there? Also, any, simple > to implement, enhancements you could add? The first rule is to do whatever works in your situation no matter what outsiders say. Are you counting identical queries including qtype as well as qname? Are you dropping identical queries or all queries? Counting all queries might not work on a server for a popular domain, because there can be a lot of legitimte queries from a single carrier grade NAT IP address. Even counting 5 identical queries or responses might cause problems for a sufficiently popular web site. Counting identical queries instead identical responses might let a bad guy reflect a stream of 1500+ Byte NXDOMAIN responses using a stream of queries for unique bogus domains. Blocking at 5 identical queries per second sounds reasonable to me, but blocking for 5 minutes sounds far too long, because it might unnessarily drop legitimate queries. A 5 minute window means that on average it will be closed 2.5 minutes after the attack stops. If your scheme can react to the first 5 identical queries in a second, why not block for only 10 or 15 seconds? Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
