With response rate limiting enabled, an attacker sending queries from many
spoofed source addresses could steer entries into the same slot of the
internal rate-limit table and slow down query processing on the affected
server. The table now uses a per-process keyed hash so the placement of
entries cannot be predicted or influenced from the network.
Closes #5906
Backport of MR !11950
Merge branch 'backport-5906-rrl-hash-collision-dos-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11953
projects / thirdparty / bind9.git / commitdiff
