Thanks Lars, I can currently disconnect users by removing their MAC address from the mac authorization table of the airPoint, and re-entering it to bring them back online. I have bandwidth shaping with dummynet right now, so everything but non TCP traffic is rate limited.
Thanks, Roger ----- Original Message ----- From: "Lars Gaarden" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 10, 2003 8:19 PM Subject: Re: [smartBridges] sB Network Issue > Roger Howard wrote: > > So then PPPoE will not help stop a virus on a single machine from taking > > down an access point? Can anyone confirm, as there are opinions both ways? > > Depends on the virus. > > PPPoE + bandwidth control makes sure that a customer can't push more than > his share of bandwidth *through the PPPoE Server*. > > Most network traffic is TCP, and TCP will automatically scale back the > speed of a TCP session if it exceeds the bandwidth available. > > So if we are talking about a virus that tries to spew copies of itself > through TCP connections, the bandwidth control will in most > circumstances limit the amount of bandwidth that the virus uses. > > However, if we are talking about a DDoS trojan or any other application > that spews ICMP or other traffic which does not check whether the packets > reach their destination or are dropped at the PPPoE Server, then PPPoE > doesn't help - the packets are dropped at the PPPoE Server, but the > wireless segment is swamped by the traffic. As discussed above, the > PPPoE Server has no way of telling the PPPoE client that it exceeds its > bandwidth limit[1]. :-/ > > One advantage of PPPoE, though, is that it is easy to disconnect a > customer if you discover that he has been infected (with Linux or > *BSD you might even do this automagically with a bit of scripting). > > Anyway. The only bullet proof way of making sure that a single client > can't swamp the AP with traffic is to have some kind of bandwidth > control on the CPE side. > > [1] I seem to recall that I've read something about a PPP extention > that adds this capability, but I am not aware of any wide spread > use of it nor which servers/clients that might support it. > > -- > LarsG > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
