Maciej Gawron via Unbound-users wrote:
Hi,
I think global IP-ratelimit will fit nicely.
i disagree, since the source ip addresses are nonrepudiable. a
non-protocol-aware rate limiter is an easy ddos vector since an attacker
can use up all available credits for some victim simply by forging that
victim's ip address on an otherwise normal looking flow.
see: https://www.icann.org/en/system/files/files/sac-004-en.pdf
also: https://queue.acm.org/detail.cfm?id=2578510
transaction or session limits will be nec'y; packet limits are wrong
where udp is concerned.
--
P Vixie
