Date: Mon, 22 Oct 2001 14:21:16 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Terry Lambert <tlambert2@mindspring.com> Cc: David Malone <dwmalone@maths.tcd.ie>, Zhihui Zhang <zzhang@cs.binghamton.edu>, <freebsd-hackers@freebsd.org> Subject: Re: Limiting closed port RST response Message-ID: <20011022141612.B70111-100000@achilles.silby.com> In-Reply-To: <3BCED5E7.3FAE9EB8@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Oct 2001, Terry Lambert wrote: > The problem is what to do when you are attacked. > > You need to balance resiliance in the face of attack with the > ability to bear a legitimately high load. > > -- Terry I understand that, and can understand leaving rate limiting off on the clients so as to produce a realistic picture of how most hosts will react. What I'm not clear on is how the built-in rate limiting hurts a server under either normal conditions or while being attacked. The packets being limited are all error responses of one type or another; dropping them should not hurt clients connecting to running services. I've heard the argument that RSTs are important so that old connections are terminated when a server restarts, but I generally reject that argument based on the observation that a downed server probably takes more time to reboot than connections take to time out on their own. The one case I haven't considered much is how load-balancers react to systems behind them not returning RSTs in response to incoming packets; if this is the case you're talking about, I'd like to hear more of what happens and how we can accomidate for it better. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011022141612.B70111-100000>