From: "Robert A. Hayden"

> What about doing some priority-based QoS?  If a single IP exceeds X amount
> of traffic, prioritize traffic above that threshold as low.  It would keep
> any one single host from saturating a link if the threshold is low.
> For example, you may say that each IP is limited to 10mb of prioirty
> traffic.  Yes, a compromised host may try to barf out 90mb of chaff, but
> the excess would be moved down the totem pole.

Down the totem pole isn't off the totem pole. In most cases the issue wasn't
traffic priority. Most network equipment isn't designed to handle 100%
capacity from all ports. Under standard operation, maximum capacity is never
reached. It is cost prohibitive to support it. In addition, this was a dual
issue. Not only did the bandwidth saturate, the packets are so small that in
reaching for 100% saturation, many routers and switches first exceeded their
maximum pps thresholds. The best defense is to monitor and know your
traffic. When traffic becomes uncommon, someone needs to be alerted. A 30%
processor increase is not a good thing; ever. Second, know the optimizations
for your particular equipment and code. Each piece of equipment has it's own
optimizations. In my case, it was better to access-list at the router level
than to run bandwidth limiting, and I run a crummy 7200. It's even nicer on
a 7500+ where it's offloaded to the linecard processors. If a portion of the
network or a specific port is unrecoverable, shut it down. The server won't
be able to handle traffic anyways, and it is better to cut off a portion of
the network than lose the entire network.

Jack Bates
Network Engineer
BrightNet Oklahoma

Reply via email to