Hello everyone:
I would like to test the waters on some new functionality we think is
needed to protect OpenStack deployments from some overload situations due to an
excessive user or DDOS scenario. We wrote this up in the style of an RFE.
Please let us know your thoughts and we can proceed with a formal RFE with more
detail if there are no concerns raised.
*What is being requested*
This request is to extend the QOS APIs to include the ability to provide
connection rate limiting
*Why is it being requested*
There are many scenarios where a VM may be intentionally malicious or become
harmful to the network due to its rate of initializing TCP connections. The
reverse direction of a VM being attacked with an excessive amount of TCP
connection requests either intentionally or due to overload is also problematic.
*Implementation Choices
There might be a number of ways to implement this, but one of the easiest
would appear to be to extend the APIs being developed under:
https://review.openstack.org/#/c/187513/. An additional rule type "connections
per-second" could be added.
The dataplane implementation itself may be realized with netfilter and
conntrack.
*Alternatives
It would be possible to extend the security groups in a similar fashion, but
due to the addition of rate limiting, QoS seems a more nature fit.
*Who needs it*
Cloud operators have experienced this issue in real deployments in a number of
cases.
[http://www.cisco.com/web/europe/images/email/signature/logo05.jpg]
John Joyce
PRINCIPAL ENGINEER.ENGINEERING
joy...@cisco.com
Phone: +1 978 936 0227
Cisco Systems Limited
1414 Massachusetts Ave.
BOXBOROUGH
MASSACHUSETTS
01719
US
Cisco.com<http://www.cisco.com>
[Think before you print.]Think before you print.
This email may contain confidential and privileged material for the sole use of
the intended recipient. Any review, use, distribution or disclosure by others
is strictly prohibited. If you are not the intended recipient (or authorized to
receive for the recipient), please contact the sender by reply email and delete
all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
