[bind10-dev] Rate limiting for logging?
Michal 'vorner' Vaner
michal.vaner at nic.cz
Wed Jul 17 07:41:12 UTC 2013
Hello
On Tue, Jul 16, 2013 at 09:44:55PM +0530, Mukund Sivaraman wrote:
> On Mon, Jul 15, 2013 at 09:04:30AM +0200, Michal 'vorner' Vaner wrote:
> > Or we may solve it on the message IDs. Each message ID gets two new items:
>
> Wouldn't this also suppress any messages with the same message ID, that
> were logged after that limit is reached, but with different message
> argument values?
Yes, it would.
I always thought this is the goal. If I look at any logs, I doubt there'll be
many spamming messages with exactly the same parameters. Imagine someone is
flooding us with queries that lead to some warn message. But the admin can't do
anything about that and the messages fill up his logs. It is likely the
attacker (or just misconfigured client) uses different query name each time or
different source port. They'll change the arguments and all the messages would
get logged.
If we care about the MESSAGE_ID only, we don't have this problem.
With regards
--
The cost of living is going up, and the chance of living is going down.
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20130717/b7d55242/attachment.bin>
More information about the bind10-dev
mailing list