Bugzilla – Bug 1187
Source IP rate limiting
Last modified: 2017-01-05 20:28:12 CET
Created attachment 370 [details]
src ip rate limit
Add support for source IP rate limiting. A la `ratelimiting` for random label attack, this adds support for rate-limiting based on source address.
- 1 global limit for all IPs (e.g all src IP will have the same number of allowed queries by second)
- ip ratelimit factor
- stats counters
This patch was contributed by Larissa Feng during her internship.
Other work based on this, is per IP rate limits to override global one + runtime update over the unbound-control interface. (alike ratelimit-for-domain).
(I'm not an Unbound maintainer, just an interested reader.)
Software firewalls already have the capability to rate-limit by source IP address (e.g. the iptables "hashlimit" match on Linux, and similar functionality in other OSes). Why does this functionality need to be duplicated (and maintained) in Unbound? It seems like it would be better to rely on kernel-level features for this capability.
Hi Manu, and Larissa,
Thank you for the patch (I am also interested in Robert's argument, because we don't want spurious code bloat, so why is it an attractive feature to have?).
Is your patch BSD licensed?
Best regards, Wouter
Thanks for the quick feedback.
Fair point on using iptables vs application level + added code there.
Application level configuration makes it easier to manage rate limiting when disassociating the service from the host. Say people deploy the service in a container with restricted network capabilities. The rate limiting for the service can be deployed with the service config alike ACLs. Being able to change those settings at run-time over the control interface from userland.
As much as perf wise, it will be much better done by iptables, but I think this can help provide an entry level solution that people can easily use from userland without caring of maintaining iptables separately.
And yes, the patch is BSD licensed.
Hi Manu, Larissa,
Thank you for the patch! I have incorporated it.
Tools against DDoS are very important, and it is not clear which ones are needed.
Best regards, Wouter