On Thu, Jan 31, 2008 at 08:16:55PM +0000, Simon Hobson wrote: > Andrew Suffield wrote: > >On Thu, Jan 31, 2008 at 04:23:54PM +0000, Simon Hobson wrote: > >> >Against a hostile > >> >system that is attacking you, it is completely worthless. > >> > >> Is anything - without some fairly "high end" gear ? > > > >The attack is usually against the fact that your DSL line has a meagre > >~6Mbit downstream capacity. The same filter applied inside your ISPs > >network would work - very few people have the capacity to DoS an > >entire ISP (the operators of the large botnets are about the only > >ones). > > But if someone is attacking you with 20mbit of traffic, then the ISP > throttling that down to 6mbit will still leave you with no service - > 70% packet loss is somewhat beyond what TCP/IP will cope with. > Granted, if the attack is using traffic you don't normally use, AND > the ISP is prepared to filter it out, then that's a different matter.
I'm assuming that the ISP is running real QoS for you, so all your normal traffic is going through fine and they're just dropping the DoS traffic. Blind throttling wouldn't help, naturally. > I still contend that provided you understand the limitations, > shaping/prioritising your inbound traffic at below line rate does > have a place. As I noted earlier, it does have applications, it's just quite limited in scope, doesn't do what people expect it to, and probably not what you really want most of the time. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
