Rate limiting Kerberos Requests

Nico Williams nico at cryptonector.com
Thu Sep 27 11:40:26 EDT 2012


On Thu, Sep 27, 2012 at 10:38 AM, Nico Williams <nico at cryptonector.com> wrote:
>> The above incident is a single misbehaving client suddenly doing about
>> 600 requests / minute for around 30 minutes.  During this window no one
>> else could get a KDC response before the client timed out.
>
> The client is not misbehaving.  The KDC is.  The problem is on the KDC side.

I should add that this is the reason that you can't do anything with
packet filters about this.  The problem is not the client.  *Any*
client hitting the KDC just at the wrong time during a kprop will
result in this problem.

Nico
--


More information about the Kerberos mailing list