Rate limiting Kerberos Requests
Nico Williams
nico at cryptonector.com
Thu Sep 27 11:40:26 EDT 2012
On Thu, Sep 27, 2012 at 10:38 AM, Nico Williams <nico at cryptonector.com> wrote:
>> The above incident is a single misbehaving client suddenly doing about
>> 600 requests / minute for around 30 minutes. During this window no one
>> else could get a KDC response before the client timed out.
>
> The client is not misbehaving. The KDC is. The problem is on the KDC side.
I should add that this is the reason that you can't do anything with
packet filters about this. The problem is not the client. *Any*
client hitting the KDC just at the wrong time during a kprop will
result in this problem.
Nico
--
More information about the Kerberos
mailing list