Eddy wrote: > Except this blocks valid SYN requests, too. If you normally get > 50 kbps of SYN and set a limit of 250 kbps, one easily can drown > you with 5000 kbps. The box doesn't crash, but you still have a > DoS due to dropped packets.
But rather less of a DoS than being swamped, across an entire /19, with SYN packets to port 80 at the rate of >5000 per second. Trust me; I've experienced this recently and it wasn't nice... when >50% of your outbound traffic is web pages, that sort of thing hits home hard. > Yes, I've used rate-limiting when no better alternative was > available. I'd consider it a last resort, along with per-IP > blocking. Likewise, as a last resort. Sometimes, however sadly, that's the easiest way to proceed. Especially when it's late at night and you're at home! > Or run a TCP stack that isn't as vulnerable to this sort of > thing. *shrug* People demand Linux, they get Linux.[1] To be honest, when it gets to the realms of real[0] DoS/DDoS attacks, the IP stack you use makes no difference at all. If they're being orchestrated and run properly[1] then you could have the rhino-hide IP stack and it will still succumb. [0] Definitions differ here. For me, anything which affects the normal operation of my network, or affects my clients in a "significant" manner is a real attack [1] Again, properly can be interpreted in different ways. Yesterday some colleagues and I had a brief flight-of-fancy into the land of making keyboards melt with IP traffic, if only we could accurately trace down the little swine who do this sort of stuff... but that's just pure Wolkenkuckucksheim :) Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
