Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Oct 2001 14:21:16 -0500 (CDT)
From:      Mike Silbersack <silby@silby.com>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        David Malone <dwmalone@maths.tcd.ie>, Zhihui Zhang <zzhang@cs.binghamton.edu>, <freebsd-hackers@freebsd.org>
Subject:   Re: Limiting closed port RST response
Message-ID:  <20011022141612.B70111-100000@achilles.silby.com>
In-Reply-To: <3BCED5E7.3FAE9EB8@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Thu, 18 Oct 2001, Terry Lambert wrote:

> The problem is what to do when you are attacked.
>
> You need to balance resiliance in the face of attack with the
> ability to bear a legitimately high load.
>
> -- Terry

I understand that, and can understand leaving rate limiting off on the
clients so as to produce a realistic picture of how most hosts will react.
What I'm not clear on is how the built-in rate limiting hurts a server
under either normal conditions or while being attacked.  The packets being
limited are all error responses of one type or another; dropping them
should not hurt clients connecting to running services.  I've heard the
argument that RSTs are important so that old connections are terminated
when a server restarts, but I generally reject that argument based on the
observation that a downed server probably takes more time to reboot than
connections take to time out on their own.

The one case I haven't considered much is how load-balancers react to
systems behind them not returning RSTs in response to incoming packets; if
this is the case you're talking about, I'd like to hear more of what
happens and how we can accomidate for it better.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011022141612.B70111-100000>