Andrew Suffield wrote: >On Thu, Jan 31, 2008 at 04:23:54PM +0000, Simon Hobson wrote: >> >Against a hostile >> >system that is attacking you, it is completely worthless. >> >> Is anything - without some fairly "high end" gear ? > >The attack is usually against the fact that your DSL line has a meagre >~6Mbit downstream capacity. The same filter applied inside your ISPs >network would work - very few people have the capacity to DoS an >entire ISP (the operators of the large botnets are about the only >ones).
But if someone is attacking you with 20mbit of traffic, then the ISP throttling that down to 6mbit will still leave you with no service - 70% packet loss is somewhat beyond what TCP/IP will cope with. Granted, if the attack is using traffic you don't normally use, AND the ISP is prepared to filter it out, then that's a different matter. I still contend that provided you understand the limitations, shaping/prioritising your inbound traffic at below line rate does have a place. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
