On 2023-07-19, mabi <m...@protonmail.ch> wrote: > ------- Original Message ------- > On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson > <stu.li...@spacehopper.org> wrote: > > >> PF's state-tracking options are only for TCP. (Blocking an IP >> based on number of connections from easily spoofed UDP is a good >> way to let third parties prevent your machine from communicating >> with IPs that may well get in the way i.e. trigger a "self DoS"). > > What a pitty, these kind of rate limiting options for UDP would have been > quite useful.
I don't think you understood what I wrote then - they are the opposite of helpful here. Say you are running a DNS recursive resolver with such protection; if someone were to send you spoofed high rate packets from the IPs of the root servers, some big gTLD/ccTLD servers, or big DNS hosters (cloudflare or someone), your lookups will be quite broken. Likewise for an authoritative server: send packets with source IPs of some large DNS recursive resolvers and you then won't be sending replies to legitimate requests from those resolvers. The difference with TCP is that someone sending packets needs to be able to see the response to those packets in order to carry out the handshake. That's not needed for UDP where a single packet in one direction is all that's needed.