Bug 1187 - Source IP rate limiting
Source IP rate limiting
Product: unbound
Classification: Unclassified
Component: server
Other All
: P5 enhancement
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2016-12-16 03:51 CET by Manu Bretelle
Modified: 2017-01-05 20:28 CET (History)
3 users (show)

See Also:

src ip rate limit (59.45 KB, application/octet-stream)
2016-12-16 03:51 CET, Manu Bretelle

Note You need to log in before you can comment on or make changes to this bug.
Description Manu Bretelle 2016-12-16 03:51:47 CET
Created attachment 370 [details]
src ip rate limit

Add support for source IP rate limiting. A la `ratelimiting` for random label attack, this adds support for rate-limiting based on source address.

Currently supported:
- 1 global limit for all IPs (e.g all src IP will have the same number of allowed queries by second)
- ip ratelimit factor
- ip-ratelimit-size
- ip-ratelimit-slabs
- stats counters

This patch was contributed by Larissa Feng during her internship.

Other work based on this, is per IP rate limits to override global one + runtime update over the unbound-control interface. (alike ratelimit-for-domain).
Comment 1 Robert Edmonds 2016-12-16 05:40:28 CET

(I'm not an Unbound maintainer, just an interested reader.)

Software firewalls already have the capability to rate-limit by source IP address (e.g. the iptables "hashlimit" match on Linux, and similar functionality in other OSes). Why does this functionality need to be duplicated (and maintained) in Unbound? It seems like it would be better to rely on kernel-level features for this capability.
Comment 2 Wouter Wijngaards 2016-12-16 09:35:35 CET
Hi Manu, and Larissa,

Thank you for the patch (I am also interested in Robert's argument, because we don't want spurious code bloat, so why is it an attractive feature to have?).

Is your patch BSD licensed?

Best regards, Wouter
Comment 3 Manu Bretelle 2016-12-16 20:21:19 CET

Thanks for the quick feedback.

Fair point on using iptables vs application level + added code there.

Application level configuration makes it easier to manage rate limiting when disassociating the service from the host. Say people deploy the service in a container with restricted network capabilities. The rate limiting for the service can be deployed with the service config alike ACLs. Being able to change those settings at run-time over the control interface from userland.

As much as perf wise, it will be much better done by iptables, but I think this can help provide an entry level solution that people can easily use from userland without caring of maintaining iptables separately.

And yes, the patch is BSD licensed.

Comment 4 Wouter Wijngaards 2017-01-05 14:58:13 CET
Hi Manu, Larissa,

Thank you for the patch!  I have incorporated it.

Tools against DDoS are very important, and it is not clear which ones are needed.

Best regards, Wouter
Comment 5 Manu Bretelle 2017-01-05 20:28:12 CET
Thanks Wouter