nanog mailing list archives
Re: I don't need no stinking firewall!
From: Joe Greco <jgreco () ns sol net>
Date: Wed, 6 Jan 2010 09:00:19 -0600 (CST)
(4) Rate limiting. The ability to rate limit incoming and outgoing data can prevent certain sorts of DoSes.I am not sure what makes you believe that. The ability to rate limit incoming data at the server level would definitely not prevent a DoS. The ability to rate limit outgoing data would cause a DoS of anything other than DoS traffic that is hosted on the server.
It may be good practice to rate limit outgoing ICMP PING replies from your server to the real world. Kind of like being a good neighbor in the event of certain types of attacks on other parties. This can be extended into more specific types of outgoing rate limits. For example, an ISP DNS recurser that normally serves 1Mbps of traffic in aggregate but lives on a 1Gbps ethernet might use a per-destination outgoing limit to restrict the amount of damage that could be inflicted on a remote DNS server (without affecting other destinations); things like FreeBSD ipfw/dummynet and Linux (mumble) have these sorts of capabilities. I can see some usefulness in rate limiting as a form of sanity enforcement. Your average switch cannot do the more complex forms in silicon. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! Joe Greco (Jan 10)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! Mark Smith (Jan 06)
- Re: I don't need no stinking firewall! William Pitcock (Jan 05)
- Re: I don't need no stinking firewall! Joe Greco (Jan 06)
- Re: I don't need no stinking firewall! Ryan Brooks (Jan 05)
- Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! juttazalud (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)