jtk at ultradns.com
Thu Mar 2 03:04:09 UTC 2006
On Wed, Mar 01, 2006 at 08:09:55PM -0600, Rob Thomas wrote:
> Again if there is an easily deployed and managed approach to
> rate limits, I know lots of folks to whom I'd refer that guide.
> I'll sign up for service from Bill's bait&sushi any day. :) I
> think John Kristoff has done some work in this area, so it may
> be worth a ping on him.
Hi, I'm here. Quick summary and people can find my offlist if they
want to follow up. I've implemented some ingress (to the router)
rate limits on interfaces that are facing end hosts or an edge
network (e.g. university). That is, limiting the sending rate from
the edge into the larger upstream internetwork. I've done this by
protocol and on a per src address basis with varying success. It
makes no sense to me to do it in the other direction. You have
to be careful, as you can break stuff, but in general it is a
hack that might work OK in some situations. I've also tried some
slightly more tricky (foolish?) approaches using RED or a variant
with and without packet marking. None of these tricks I've been
able to successfully implement mainly due to equipment limitations,
but it's far from clear whether they would have helped anyway (and
quite possibly they may have had some adverse side effects).
More information about the dns-operations