On 2013-05-24 14:04 , Michael Richter wrote:
Hmm I thought it is better you'll do the rate limiting on a lower layer. It's the same fix. you give the customer x queries in y time.
It is FAR from the "same fix". RRL has knowledge of the query and the answer it would give.
Amongst others RRL suggests TCP fall back to the client, thus giving non-spoofed clients the possibility to query using TCP and get the query through anyway.
Of course when the rate limit is surpassed even with TCP it will be ratelimitted there too.
But with RRL I think every query is counted. With iptables you can say, just count the ANY queries.
The type of query does not matter for abusers, they are using standard A or DS, TXT and other such records too.
The rate that they come in at and the amount that you are replying to the spoofer does as then you are sending the junk to the spoofed source.
Greets, Jeroen