Saucepan

User Tools

Site Tools

Trace: vmware firewall_config_sync windows_networking initial_setup decryption
infoblox_nios:rate_limiting

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

infoblox_nios:rate_limiting [2022/11/30 12:02] – created bstaffordinfoblox_nios:rate_limiting [2023/03/24 08:18] (current) bstafford
Line 8: Line 8:
   * [[https://docs.infoblox.com/display/NCG8/set+dns_rrl|DNS Rate Limit]] is used to protect the server from being overloaded by queries (e.g. protect against DDoS attacked and amplification attacks against another system).   * [[https://docs.infoblox.com/display/NCG8/set+dns_rrl|DNS Rate Limit]] is used to protect the server from being overloaded by queries (e.g. protect against DDoS attacked and amplification attacks against another system).
   * [[https://docs.infoblox.com/display/NCG8/set+ip_rate_limit|IP Rate Limit]] is when we protect the DNS server from being overwhelmed by responses to queries that it made (e.g. protect against cache poisoning).   * [[https://docs.infoblox.com/display/NCG8/set+ip_rate_limit|IP Rate Limit]] is when we protect the DNS server from being overwhelmed by responses to queries that it made (e.g. protect against cache poisoning).
 +
 +===== From BIND Manual =====
 +Excessive, almost-identical UDP responses can be controlled by configuring a rate-limit clause in an options or
 +view statement. This mechanism keeps authoritative BIND 9 from being used to amplify reflection denial-of-service
 +(DoS) attacks. Short BADCOOKIE errors or truncated (TC=1) responses can be sent to provide rate-limited responses
 +to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped responses by retrying, to BADCOOKIE errors by including a server cookie when retrying, and to truncated responses by switching to TCP.
 +
 +This mechanism is intended for authoritative DNS servers. It can be used on recursive servers, but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing “open” recursive servers is better.
 +
 +
 +Response rate limiting uses a “credit” or “token bucket” scheme. Each combination of identical response and client has a conceptual “account” that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but which can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate-limited.
  
 ===== RRL ===== ===== RRL =====
infoblox_nios/rate_limiting.1669809733.txt.gz · Last modified: by bstafford