From owner-freebsd-hackers  Mon Oct 22 12:21:28 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 1605537B405
	for <freebsd-hackers@freebsd.org>; Mon, 22 Oct 2001 12:21:19 -0700 (PDT)
Received: (qmail 70233 invoked by uid 1000); 22 Oct 2001 19:21:16 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 22 Oct 2001 19:21:16 -0000
Date: Mon, 22 Oct 2001 14:21:16 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Terry Lambert <tlambert2@mindspring.com>
Cc: David Malone <dwmalone@maths.tcd.ie>,
	Zhihui Zhang <zzhang@cs.binghamton.edu>,
	<freebsd-hackers@freebsd.org>
Subject: Re: Limiting closed port RST response
In-Reply-To: <3BCED5E7.3FAE9EB8@mindspring.com>
Message-ID: <20011022141612.B70111-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Thu, 18 Oct 2001, Terry Lambert wrote:

> The problem is what to do when you are attacked.
>
> You need to balance resiliance in the face of attack with the
> ability to bear a legitimately high load.
>
> -- Terry

I understand that, and can understand leaving rate limiting off on the
clients so as to produce a realistic picture of how most hosts will react.
What I'm not clear on is how the built-in rate limiting hurts a server
under either normal conditions or while being attacked.  The packets being
limited are all error responses of one type or another; dropping them
should not hurt clients connecting to running services.  I've heard the
argument that RSTs are important so that old connections are terminated
when a server restarts, but I generally reject that argument based on the
observation that a downed server probably takes more time to reboot than
connections take to time out on their own.

The one case I haven't considered much is how load-balancers react to
systems behind them not returning RSTs in response to incoming packets; if
this is the case you're talking about, I'd like to hear more of what
happens and how we can accomidate for it better.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message