pfdhcplistener rate-limiting #1722
Comments
|
@julsemaan proposed to use redis to store the "count" of packets coming from different devices based on mac-prefixed redis entries and scan over them to determine whether or not we should rate-limit (send to pfqueue or "discard") |
|
I propose we move the iplog to redis. |
|
Would it be simpler to keep that logic within the pfdhcplistener to avoid involving redis. |
|
@jrouzierinverse that would work with an in-memory map but we wouldn't have the auto-expire of Redis and would need to write our own logic to calculate the throttling. Both would be good, just an implementation detail I guess |
|
You just use CHI for the auto expire login |
|
Using redis directly could also be an option. I would prefer to avoid scanning things in redis. |
pfdhcplistener is currently "vulnerable" to "mass-trafic" attacks (it is actually more pfqueue but POE is pfdhcplistener). The daemon will receive DHCP packets then forwards them to the appropriate queue which may create a big processing queue in the case a device is sending a lot of DHCP discover / request.
pfdhcplistener should be able to "rate-limit" itself based on number of request from a same device per X time.
The text was updated successfully, but these errors were encountered: