From: Tim Gardner <timg@tpi.com>
To: "YOSHIFUJI Hideaki / 吉藤英明" <yoshfuji@linux-ipv6.org>
Cc: pekkas@netcore.fi, laforge@gnumonks.org, netdev@oss.sgi.com
Subject: Re: [PATCH + RFC] neighbour/ARP cache scalability
Date: Tue, 21 Sep 2004 10:39:21 -0600 [thread overview]
Message-ID: <1095784761.3934.52.camel@tim.rtg.net> (raw)
In-Reply-To: <20040922.010428.104988024.yoshfuji@linux-ipv6.org>
On Tue, 2004-09-21 at 10:04, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> In article <Pine.LNX.4.44.0409211856260.9906-100000@netcore.fi> (at Tue, 21 Sep 2004 18:58:05 +0300 (EEST)), Pekka Savola <pekkas@netcore.fi> says:
>
> > This still doesn't take a stance on rate-limiting the ND/ARP packets,
> > in case that there still is enough memory, but some kind of attack is
> > clearly underway. Should it still be done? Consider 100Kpps of
> > router-generated ARP/ND probes -- not good!
>
Detecting an attack would require some kind of heuristic in the core
router code. I believe that logic is better suited for an iptables
filter. Why burden well guarded machines that are unikely to experience
this kind of attack? I think the only thing NUD should do is limit the
absolute number of NUD entries that it can create. Give it a sysctl knob
for large networks, but make the default something reasonable (like
2K).
I've developed a variant of the Port Scan Detector (PSD) iptables filter
that combats this very problem. It only allows so many destination
IP/Port pairs from a given address to be opened over time. This limits
the rate at which connections can be opened as well as the absolute
number. For example, on my edge routers I set the policy that no single
IP source address can create more then 64 connections within a 30 second
sliding window. This has made a huge impact on the ARP storms that our
network used to experience.
rtg
--
timg@tpi.com http://www.tpi.com
406-443-5357(MT) 503-601-0234(OR)
next prev parent reply other threads:[~2004-09-21 16:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-20 22:51 [PATCH + RFC] neighbour/ARP cache scalability Harald Welte
2004-09-21 6:29 ` David S. Miller
2004-09-21 7:04 ` Andre Tomt
2004-09-21 7:37 ` Robert Olsson
2004-09-21 8:58 ` Andi Kleen
2004-09-21 11:19 ` Pekka Savola
2004-09-21 13:49 ` Harald Welte
2004-09-21 14:10 ` Pekka Savola
2004-09-21 15:14 ` YOSHIFUJI Hideaki / 吉藤英明
2004-09-21 15:36 ` Robert Olsson
2004-09-21 15:59 ` YOSHIFUJI Hideaki / 吉藤英明
2004-09-21 15:58 ` Pekka Savola
2004-09-21 16:04 ` YOSHIFUJI Hideaki / 吉藤英明
2004-09-21 16:39 ` Tim Gardner [this message]
2004-09-21 17:31 ` Andi Kleen
2004-09-21 17:58 ` Tim Gardner
2004-09-21 18:15 ` Andi Kleen
2004-09-21 20:34 ` Harald Welte
2004-09-21 20:58 ` Tim Gardner
2004-09-22 1:14 ` Harald Welte
2004-09-22 3:31 ` David S. Miller
2004-09-22 11:14 ` Harald Welte
2004-09-24 5:53 ` David S. Miller
2004-09-24 7:14 ` Glen Turner
2004-09-24 5:47 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1095784761.3934.52.camel@tim.rtg.net \
--to=timg@tpi.com \
--cc=laforge@gnumonks.org \
--cc=netdev@oss.sgi.com \
--cc=pekkas@netcore.fi \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.