From: Karl Gaissmaier <karl.gaissmaier@rz.uni-ulm.de>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Q: best solution to stop traffic to huge amount of
Date: Tue, 03 Sep 2002 11:13:41 +0000 [thread overview]
Message-ID: <marc-lartc-103105164605203@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103000210313805@msgid-missing>
Hi Don,
Don Cohen schrieb:
>
> Just reading mail that arrived while I was on vacation ...
>
> Several points.
> - In order to use the current tc you don't have to match all of the
> illegal addresses (64K - 10K) - it would be easier to default to
> disallow packets and match the smaller 10K that are allowed.
>
actually I can do this with three independent ore loosely coupled
systems:
iproute2
netfilter
tc
netfilter is to slow for 10k rules and if I use hierarchical prefixes
I have a lot of chains and still ca. 500 rules in worst case.
With iproute2 I could do this with a prohibit rule, but then I have
the bigger amount of disallowd addresses.
I think in the moment tc is the best solution, but how could this
be handled on ingress shaping to a 0 kbps queue?
> - What you really want, of course, is a new module that does a simple
> table lookup to decide whether to classify a packet. This should be
> easy to write. The hard part is filling the table - I don't even know
> where your data comes from.
the comes programmatically from the DNS system by a walk throug.
I check once a day all Class B addresses whether they are registered.
>
> - I'd expect your addresses to not be uniformly distributed. A
right!
> reasonable routing scheme would assign different class-c's to
> different departments/dorms; many class c's don't exist and you
> can eliminate those immediately; those that do probably go to other
> routers and those can do further filtering.
> An additional benefit of this more distributed solution is that,
this must be done a the central FW, because the other routers
are from different vendors with even different capabilities.
This would not be manageable.
> at least for traffic originating inside your network, earlier
> filtering prevents one class c from denying (outbound) service to
> others. I'd guess that you're less concerned with outside attackers
> sending to these bogus addresses without provocation from inside.
Regards
Charly
--
Karl Gaissmaier Computing Center,University of Ulm,Germany
Email:karl.gaissmaier@rz.uni-ulm.de Network Administration
Tel.: ++49 731 50-22499
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2002-09-03 11:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-22 7:38 [LARTC] Q: best solution to stop traffic to huge amount of unregistered hosts Karl Gaissmaier
2002-08-22 20:44 ` [LARTC] Q: best solution to stop traffic to huge amount of Karl Gaissmaier
2002-08-22 20:55 ` Karl Gaissmaier
2002-08-22 21:04 ` Karl Gaissmaier
2002-09-03 11:13 ` Karl Gaissmaier [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103105164605203@msgid-missing \
--to=karl.gaissmaier@rz.uni-ulm.de \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.