On 3/2/15 2:33 PM, Dave Dolson wrote:
Would you do that to TCP or UDP traffic?
No, so I see your point. If an ICMP scan was dropped an attacker could simply switch to another protocol.
One may wish to rate-limit ICMP (or DNS or TCP) flows as a matter of network policy, but in my opinion this should be kept orthogonal to solving buffer bloat.
Keeping in mind the original context which was subnet scans, I agree. But is there a way to do this in Linux? I guess it would use conntrack rather than tc.
(As an aside, I got a chuckle from seeing someone from a DPI company advocate treating all protocols equally.)
-- Wes Felter _______________________________________________ aqm mailing list [email protected] https://www.ietf.org/mailman/listinfo/aqm
