| To: | Tim Gardner <timg@xxxxxxx> |
|---|---|
| Subject: | Re: [PATCH + RFC] neighbour/ARP cache scalability |
| From: | Andi Kleen <ak@xxxxxxx> |
| Date: | Tue, 21 Sep 2004 19:31:34 +0200 |
| Cc: | YOSHIFUJI Hideaki / ???????????? <yoshfuji@xxxxxxxxxxxxxx>, pekkas@xxxxxxxxxx, laforge@xxxxxxxxxxxx, netdev@xxxxxxxxxxx |
| In-reply-to: | <1095784761.3934.52.camel@tim.rtg.net> |
| References: | <20040922.001448.73843048.yoshfuji@linux-ipv6.org> <Pine.LNX.4.44.0409211856260.9906-100000@netcore.fi> <20040922.010428.104988024.yoshfuji@linux-ipv6.org> <1095784761.3934.52.camel@tim.rtg.net> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
> I've developed a variant of the Port Scan Detector (PSD) iptables filter > that combats this very problem. It only allows so many destination > IP/Port pairs from a given address to be opened over time. This limits > the rate at which connections can be opened as well as the absolute > number. For example, on my edge routers I set the policy that no single > IP source address can create more then 64 connections within a 30 second > sliding window. This has made a huge impact on the ARP storms that our > network used to experience. But also allows an easy DOS. Someone just has to spoof a lot of connections attempts with the source address of your primary name server or some other important service. -Andi |
| Previous by Date: | Re: [PATCH + RFC] neighbour/ARP cache scalability, Tim Gardner |
|---|---|
| Next by Date: | Re: [PATCH + RFC] neighbour/ARP cache scalability, Tim Gardner |
| Previous by Thread: | Re: [PATCH + RFC] neighbour/ARP cache scalability, Tim Gardner |
| Next by Thread: | Re: [PATCH + RFC] neighbour/ARP cache scalability, Tim Gardner |
| Indexes: | [Date] [Thread] [Top] [All Lists] |