[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Rate-limiting based on data_throughput/time
From:       Steven Stromer <filter () stevenstromer ! com>
Date:       2008-08-18 18:45:15
Message-ID: B1ECFB2B-9779-4732-9D7B-209ECE215E76 () stevenstromer ! com
[Download RAW message or body]

I want to rate limit queries to protect from Polyakov styled attack:
http://www.nytimes.com/2008/08/09/technology/09flaw.html? 
_r=1&partner=rssnyt&emc=rss&oref=slogin

ISC's Paul Vixie recommends limiting to 10Mbits/sec to mitigate this  
attack vector, but I can't find anything on iptables rate limiting  
based on bits, bytes, or Mb / time (as opposed to packets/time).  
Assuming that the size of any single UDP packet in a query can  
change, up to the limit where it is refused in exchange for a tcp  
packet, I can't even see how the correct packets/time could be  
accurately inferred. Any recommendations?

Thanks!
Steven Stromer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]