On Thu, 18 Oct 2001, Terry Lambert wrote:
> The problem is what to do when you are attacked. > > You need to balance resiliance in the face of attack with the > ability to bear a legitimately high load. > > -- Terry I understand that, and can understand leaving rate limiting off on the clients so as to produce a realistic picture of how most hosts will react. What I'm not clear on is how the built-in rate limiting hurts a server under either normal conditions or while being attacked. The packets being limited are all error responses of one type or another; dropping them should not hurt clients connecting to running services. I've heard the argument that RSTs are important so that old connections are terminated when a server restarts, but I generally reject that argument based on the observation that a downed server probably takes more time to reboot than connections take to time out on their own. The one case I haven't considered much is how load-balancers react to systems behind them not returning RSTs in response to incoming packets; if this is the case you're talking about, I'd like to hear more of what happens and how we can accomidate for it better. Mike "Silby" Silbersack To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
