netdev
[Top] [All Lists]

Re: [PATCH + RFC] neighbour/ARP cache scalability

To: Tim Gardner <timg@xxxxxxx>
Subject: Re: [PATCH + RFC] neighbour/ARP cache scalability
From: Andi Kleen <ak@xxxxxxx>
Date: Tue, 21 Sep 2004 19:31:34 +0200
Cc: YOSHIFUJI Hideaki / ???????????? <yoshfuji@xxxxxxxxxxxxxx>, pekkas@xxxxxxxxxx, laforge@xxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <1095784761.3934.52.camel@xxxxxxxxxxx>
References: <20040922.001448.73843048.yoshfuji@xxxxxxxxxxxxxx> <Pine.LNX.4.44.0409211856260.9906-100000@xxxxxxxxxx> <20040922.010428.104988024.yoshfuji@xxxxxxxxxxxxxx> <1095784761.3934.52.camel@xxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
> I've developed a variant of the Port Scan Detector (PSD) iptables filter
> that combats this very problem. It only allows so many destination
> IP/Port pairs from a given address to be opened over time. This limits
> the rate at which connections can be opened as well as the absolute
> number. For example, on my edge routers I set the policy that no single
> IP source address can create more then 64 connections within a 30 second
> sliding window. This has made a huge impact on the ARP storms that our
> network used to experience.

But also allows an easy DOS. Someone just has to spoof a lot of connections
attempts with the source address of your primary name server or 
some other important service.

-Andi

<Prev in Thread] Current Thread [Next in Thread>