-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pfdhcplistener rate-limiting #1722
Comments
@julsemaan proposed to use redis to store the "count" of packets coming from different devices based on mac-prefixed redis entries and scan over them to determine whether or not we should rate-limit (send to pfqueue or "discard") |
I propose we move the iplog to redis. |
Would it be simpler to keep that logic within the pfdhcplistener to avoid involving redis. |
@jrouzierinverse that would work with an in-memory map but we wouldn't have the auto-expire of Redis and would need to write our own logic to calculate the throttling. Both would be good, just an implementation detail I guess |
You just use CHI for the auto expire login |
Using redis directly could also be an option. I would prefer to avoid scanning things in redis. |
pfdhcplistener is currently "vulnerable" to "mass-trafic" attacks (it is actually more pfqueue but POE is pfdhcplistener). The daemon will receive DHCP packets then forwards them to the appropriate queue which may create a big processing queue in the case a device is sending a lot of DHCP discover / request.
pfdhcplistener should be able to "rate-limit" itself based on number of request from a same device per X time.
The text was updated successfully, but these errors were encountered: