I don't need no stinking firewall!

Joe Greco jgreco at ns.sol.net
Wed Jan 6 09:00:19 CST 2010


> > (4) Rate limiting.  The ability to rate limit incoming and outgoing data 
> > can prevent certain sorts of DoSes.
> 
> I am not sure what makes you believe that.  The ability to rate limit
> incoming data at the server level would definitely not prevent a DoS. 
> 
> The ability to rate limit outgoing data would cause a DoS of anything
> other than DoS traffic that is hosted on the server.

It may be good practice to rate limit outgoing ICMP PING replies from your
server to the real world.  Kind of like being a good neighbor in the event 
of certain types of attacks on other parties.

This can be extended into more specific types of outgoing rate limits.
For example, an ISP DNS recurser that normally serves 1Mbps of traffic 
in aggregate but lives on a 1Gbps ethernet might use a per-destination 
outgoing limit to restrict the amount of damage that could be inflicted
on a remote DNS server (without affecting other destinations); things
like FreeBSD ipfw/dummynet and Linux (mumble) have these sorts of
capabilities.

I can see some usefulness in rate limiting as a form of sanity
enforcement.  Your average switch cannot do the more complex forms in
silicon.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list