[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Rate-limiting based on data_throughput/time
From: Steven Stromer <filter () stevenstromer ! com>
Date: 2008-08-18 18:45:15
Message-ID: B1ECFB2B-9779-4732-9D7B-209ECE215E76 () stevenstromer ! com
[Download RAW message or body]
I want to rate limit queries to protect from Polyakov styled attack:
http://www.nytimes.com/2008/08/09/technology/09flaw.html?
_r=1&partner=rssnyt&emc=rss&oref=slogin
ISC's Paul Vixie recommends limiting to 10Mbits/sec to mitigate this
attack vector, but I can't find anything on iptables rate limiting
based on bits, bytes, or Mb / time (as opposed to packets/time).
Assuming that the size of any single UDP packet in a query can
change, up to the limit where it is refused in exchange for a tcp
packet, I can't even see how the correct packets/time could be
accurately inferred. Any recommendations?
Thanks!
Steven Stromer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic