This is partially true, yes, bandwidth throttling on the AP is the ideal way to go, however the fact that all traffic has to hit the PPP Server means that you won't be able to shove more data down the tunnel then you are permitted too, because of the flow control you can perform at the PPP Server. So it logically can't suck up all the bandwidth on the Access Point, unless the sum of the affected users is greater then the total amount of bandwidth available at your AP.
This paper describes an implementation of PPPoE via FreeBSD - which may be of some interest: http://www.hpi.net/whitepapers/warta The fact is, if a critical mass of infected customers builds up, you will need to ensure the customer takes the necessary precautions (installs AV, firewall etc). The implementation of PPPoE is not a cure, it is more of a damage limitation tool. Currently, you need to wait for the traffic to hit the NOC before any shaping takes place - and this doesn't deal with the problem of broadcast traffic flooding out across your AP's - crippling throughput. If you have a PPPoE system, the traffic needs to be shoved down the tunnel, where it can be safely dropped - Yes it will suck up resources, but it will be far less resources then a network where you allow all traffic to propogate unmolested, until it reaches the NOC/Border router. Without a PPPoE system, you are lightly to experience problems with a single customer being infected, with a PPPoE system you could cater for several infected customers before the others notice. ----- Original Message ----- From: "Lars Gaarden" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 10, 2003 8:20 PM Subject: Re: [smartBridges] sB Network Issue > Colin Watson wrote: > > > Because *All* client traffic is *forced* down the PPP tunnel (ICMP, et al), > > you have full control over what your customers can and cannot do. For > > instance, when they reach the PPP Server (Access Concentrator) - All Netbios > > (Windows File & Printer Sharing) can be blocked, all ICMP traffic could be > > blocked (if you wanted), All packets can be shaped so the customer can only > > transmit/receive at the alloted bandwidth, you can also block virus > > prolifiration ports. > > True. PPP(oE) provides a virtual connection per client, which makes it > a lot > easier to disable/enable accounts, do per customer/per connection bwctrl, > filtering, accounting, and makes spoofing and hijacking difficult. > > If you use PPPoE, it is easy to kick an infected client off the net once > discovered. But it does not solve the DoS problem (which was the original > question in this thread). > > Sure, the ICMP (or whatever) packets the client is spewing out are dropped > when they reach the AC. But by that time the packets have already wasted > bandwidth on the AP and backbone. A client PC infected with a DDoS trojan > will spew packets and doesn't care whether they reach the destination or > are dropped at the AC/NOC. Whether your network architecture is bridging, > routing or PPPoE, the rogue client will eat the air time on the AP for > breakfast. > > The only way you can make sure that an infected client can't wreak havoc > on the AP is to have bwctrl on the CPE. > > -- > LarsG > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org > > The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
