On Fri, 12 Jul 2013 10:19:49 -0700 Eric Dumazet <[email protected]> wrote:
> On Fri, 2013-07-12 at 12:54 -0400, Dave Taht wrote: > > > My point was that same program would be just as damaging against > > pfifo_fast. > > > > > Or just think of SYN flood attack. > > > > For which other defenses exist. > > If someone uses pfifo_fast, it needs no particular protection right > now to be able to log in into his machine. I actually like your SSH use-case better than, the high-avail heartbeat use-case, as the HA guys should just change the qdisc by-hand, as they (should) know what they are doing (setting up their complicated configs). <troll> Then I say: Not if the attacker also sets the TOS bits. Then you say: But the TOS bits should be stripped at the border-gateway. Then I say: But my server is at a cloud provider, thus I'm logging remotely and the cloud provider is stripping my SSH TOS bits. Thus, its not helping me... ;-) You SSH use-case is more valid, but when we are under real hard SYN DoS-attacks then all CPU are pinned down on the listen-spinlock problem... troll running away hiding ;-) </troll> ps. I usually have a separate NIC on the machine for management/SSH (using ip rule, routing tables to ensure this NIC have a seperate default gateway). -- Best regards, Jesper Dangaard Brouer MSc.CS, Sr. Network Kernel Developer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn: http://www.linkedin.com/in/brouer _______________________________________________ Codel mailing list [email protected] https://lists.bufferbloat.net/listinfo/codel
