[c-nsp] rate limit dns
Eugeniu Patrascu
eugen at imacandi.net
Thu Jan 2 12:32:45 EST 2014
On Thu, Jan 2, 2014 at 7:22 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Jan 3, 2014, at 12:17 AM, Mack McBride <mack.mcbride at viawest.com>
> wrote:
>
> > The big problem with DDoS is pipe filling anyway, not CPU load.
>
> That's entirely subjective and varies from attack to attack, FYI.
>
> And to be carify, the issue with putting stateful anything in front of
> servers isn't primarily CPU load (although it certainly can be a factor),
> but rather state-table memory exhaustion.
>
>
My reasoning on putting something stateful was to have it timeout
connections in 2-3 seconds max (Windows for example has 2 sec. DNS server
query timeout).
With modern machines (from a few years back) you can track a lot of
connections effortlessly.
The whole idea with the stateful filtering was to make the machines drop
unwanted traffic before it reaches the DNS daemon, assuming it takes less
time for iptables/pf to match this kind of traffic in kernel space than it
takes a resolver in userspace.
I am a big fan of non-statefeul things when they are warranted, but in
some cases I see the point of statefulness.
More information about the cisco-nsp
mailing list