Rate-limiting based on data_throughput/time | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
I want to rate limit queries to protect from Polyakov styled attack:http://www.nytimes.com/2008/08/09/technology/09flaw.html? _r=1&partner=rssnyt&emc=rss&oref=slogin
ISC's Paul Vixie recommends limiting to 10Mbits/sec to mitigate this attack vector, but I can't find anything on iptables rate limiting based on bits, bytes, or Mb / time (as opposed to packets/time). Assuming that the size of any single UDP packet in a query can change, up to the limit where it is refused in exchange for a tcp packet, I can't even see how the correct packets/time could be accurately inferred. Any recommendations?
Thanks! Steven Stromer -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development] [Linux Kernel Development] [TCP/IP Books] [Linux Resources] [LARTC] [Home] [Bugtraq] [Consulting] [Free Internet Dating] [Yosemite Forum] [Photo]
|
|