1. 06 Nov, 2014 1 commit
  2. 16 Oct, 2014 1 commit
  3. 04 Aug, 2014 1 commit
  4. 30 May, 2014 1 commit
  5. 27 May, 2014 1 commit
  6. 01 Apr, 2014 1 commit
  7. 12 Feb, 2014 1 commit
  8. 03 Feb, 2014 1 commit
  9. 28 Jan, 2014 1 commit
  10. 06 Jan, 2014 1 commit
  11. 21 Nov, 2013 1 commit
  12. 28 Jun, 2013 1 commit
  13. 17 Jun, 2013 1 commit
  14. 26 Apr, 2013 1 commit
  15. 19 Mar, 2013 1 commit
  16. 15 Mar, 2013 1 commit
    • Marek Vavrusa's avatar
      Hopscotch hashing for resolving collisions in RRL. · 674c7fab
      Marek Vavrusa authored
      The idea is to insert colliding items in the H distance of
      the original hash value. H must be chosen to accomodate log(N)
      items, we use sizeof(unsigned). Unlike in linear probing,
      lookup is always in constant time and doesn't require
      extra memory and chaining costs as in external chaining.
      Extra memory is just sizeof(unsigned) per bucket.
      Builtin __builtin_ctz() is used for fast hop lookup.
      
      Herlihy, Maurice and Shavit, Nir and Tzafrir, Moran (2008).
      "Hopscotch Hashing". DISC '08: Proceedings of the 22nd
      international symposium on Distributed Computing.
      Arcachon, France: Springer-Verlag. pp. 350--364.
      http://people.csail.mit.edu/shanir/publications/disc2008_submission_98.pdf
      674c7fab
  17. 28 Feb, 2013 1 commit
  18. 26 Feb, 2013 2 commits
    • Marek Vavrusa's avatar
      Update RRL logging, small fixes for cls/flags clash. · b22de358
      Marek Vavrusa authored
      refs #2136
      b22de358
    • Marek Vavrusa's avatar
      New RRL classes, fixed logging, buckets cannot reset when in sstart. · 3d2f8efe
      Marek Vavrusa authored
      New classes:
      * ANY (for ANY qtype)
      * DNSSEC (for qtype = DNSSEC-related record)
      
      Now logging when netblock enters/leaves rate limiting.
      Calculated by the previous window when dt>0 and number of
      available tokens is zero.
      
      Buckets under a slow-start phase cannot reset on subsequent collisions,
      this is to avoid potential collision attack when two precalculated
      packets hit the same bucket regularly.
      This could happen in a legitimate traffic as well (less probably),
      if it does, the clients won't get completely denied, but will share
      the remaining rate until the slow-start phases out (1 time window).
      
      refs #2136
      3d2f8efe
  19. 25 Feb, 2013 3 commits
  20. 22 Feb, 2013 1 commit
    • Marek Vavrusa's avatar
      Implemented RRL classification and using name for hashing. · f39ce29a
      Marek Vavrusa authored
      Basic classes (evaluated in following order):
      * NORMAL - positive answer
      * ERROR - rcode is not NXDOMAIN nor NOERROR
      * NXDOMAIN - rcode is NXDOMAIN
      * EMPTY - response doesn't contain any answers
      * LARGE - packet size exceeded threshold (currently 1k)
      * WILDCARD - answering from a wildcard
      
      Reason behind not selectively classifying popular types like
      DNSKEY, RRSIG or ANY is that any type could be exploited,
      depending on the contents of the zone.
      
      refs #2136
      f39ce29a
  21. 21 Feb, 2013 1 commit
    • Marek Vavrusa's avatar
      Implemented RRL collsision checking and slow-start. · 0ccd9f67
      Marek Vavrusa authored
      When a collision occurs (bucket is same, but addresses differ),
      bucket enters a slow-start mode.
      This means it is given less tokens for two seconds in a row,
      then leaves the slow-start mode.
      Reason for this is penalize collisions, but still allow
      legitimate clients to connect.
      In usual mode of operations collisions on the same bucket shouldn't
      happen in a regular fashion, therefore not triggering slow-start
      mode often.
      0ccd9f67
  22. 19 Feb, 2013 1 commit
    • Marek Vavrusa's avatar
      Initial implementation of RRL. · 3617cdb7
      Marek Vavrusa authored
      Based on memo and implementation notes from
      Vixie and Schryver.
      http://ss.vix.su/~vixie/isc-tn-2012-1.txt
      
      Basically a token bucket algorithm, no interpolation
      yet. Classification of responses based on:
      <address prefix, resp.class, name, seed>
      
      address prefix = /24 for IPv4, /56 for IPv6
      resp.class = based on rcode,question and ancount
      name = either qname or answer
      seed = secret to harden collision prediction
      
      No SLIP yet.
      3617cdb7