* Roland Dobbins: > If the rate-limiting is based upon source IPs, then there's > potentially a lot of state there. If the rate-limiting is based > upon the destination IP, then it guarantees that > programmatically-generated attack traffic will 'crowd out' > legitimate requests.
Reflection attacks do not use totally random source addresses, so the typically state exhaustion vector does not necessarily apply. (With IPv6, there more bits which could be abused for randomness, but then, a contradiction between the specification and deployed stacks make it impossible to serve IPv6 traffic in a stateless fashion, so the entire discussion is pointless.) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
