netdev
[Top] [All Lists]

Re: [PATCH + RFC] neighbour/ARP cache scalability

To: Tim Gardner <timg@xxxxxxx>
Subject: Re: [PATCH + RFC] neighbour/ARP cache scalability
From: Andi Kleen <ak@xxxxxxx>
Date: Tue, 21 Sep 2004 20:15:25 +0200
Cc: Andi Kleen <ak@xxxxxxx>, YOSHIFUJI Hideaki / ???????????? <yoshfuji@xxxxxxxxxxxxxx>, pekkas@xxxxxxxxxx, laforge@xxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <1095789507.3934.69.camel@xxxxxxxxxxx>
References: <20040922.001448.73843048.yoshfuji@xxxxxxxxxxxxxx> <Pine.LNX.4.44.0409211856260.9906-100000@xxxxxxxxxx> <20040922.010428.104988024.yoshfuji@xxxxxxxxxxxxxx> <1095784761.3934.52.camel@xxxxxxxxxxx> <20040921173134.GC12132@xxxxxxxxxxxxx> <1095789507.3934.69.camel@xxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
On Tue, Sep 21, 2004 at 11:58:27AM -0600, Tim Gardner wrote:
> On Tue, 2004-09-21 at 11:31, Andi Kleen wrote:
> 
> > But also allows an easy DOS. Someone just has to spoof a lot of connections
> > attempts with the source address of your primary name server or 
> > some other important service.
> > 
> 
> That is what other iptables rules and filters are for. I get thousands
> of source address spoofs from my Internet connection every day. Network
> security is a layered approach.

I don't think you can eliminate the problem with more filters.
Even when you can eliminate spoofing for some services you use
you cannot eliminate it for all possible services your user
use (unless you get rid of spoofing in the whole internet or you never
talk to any services outside your network) 

And certainly the solution wouldn't work as a Linux default.

-Andi

<Prev in Thread] Current Thread [Next in Thread>