From: Tim Gardner <timg@tpi.com>
To: "YOSHIFUJI Hideaki / 吉藤英明" <yoshfuji@linux-ipv6.org>
Cc: pekkas@netcore.fi, laforge@gnumonks.org, netdev@oss.sgi.com
Subject: Re: [PATCH + RFC] neighbour/ARP cache scalability
Date: Tue, 21 Sep 2004 10:39:21 -0600 [thread overview]
Message-ID: <1095784761.3934.52.camel@tim.rtg.net> (raw)
In-Reply-To: <20040922.010428.104988024.yoshfuji@linux-ipv6.org>
On Tue, 2004-09-21 at 10:04, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> In article <Pine.LNX.4.44.0409211856260.9906-100000@netcore.fi> (at Tue, 21 Sep 2004 18:58:05 +0300 (EEST)), Pekka Savola <pekkas@netcore.fi> says:
>
> > This still doesn't take a stance on rate-limiting the ND/ARP packets,
> > in case that there still is enough memory, but some kind of attack is
> > clearly underway. Should it still be done? Consider 100Kpps of
> > router-generated ARP/ND probes -- not good!
>
Detecting an attack would require some kind of heuristic in the core
router code. I believe that logic is better suited for an iptables
filter. Why burden well guarded machines that are unikely to experience
this kind of attack? I think the only thing NUD should do is limit the
absolute number of NUD entries that it can create. Give it a sysctl knob
for large networks, but make the default something reasonable (like
2K).
I've developed a variant of the Port Scan Detector (PSD) iptables filter
that combats this very problem. It only allows so many destination
IP/Port pairs from a given address to be opened over time. This limits
the rate at which connections can be opened as well as the absolute
number. For example, on my edge routers I set the policy that no single
IP source address can create more then 64 connections within a 30 second
sliding window. This has made a huge impact on the ARP storms that our
network used to experience.
rtg
--
timg@tpi.com http://www.tpi.com
406-443-5357(MT) 503-601-0234(OR)
next prev parent reply other threads:[~2004-09-21 16:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-20 22:51 [PATCH + RFC] neighbour/ARP cache scalability Harald Welte
2004-09-21 6:29 ` David S. Miller
2004-09-21 7:04 ` Andre Tomt
2004-09-21 7:37 ` Robert Olsson
2004-09-21 8:58 ` Andi Kleen
2004-09-21 11:19 ` Pekka Savola
2004-09-21 13:49 ` Harald Welte
2004-09-21 14:10 ` Pekka Savola
2004-09-21 15:14 ` YOSHIFUJI Hideaki / 吉藤英明
2004-09-21 15:36 ` Robert Olsson
2004-09-21 15:59 ` YOSHIFUJI Hideaki / 吉藤英明
2004-09-21 15:58 ` Pekka Savola
2004-09-21 16:04 ` YOSHIFUJI Hideaki / 吉藤英明
2004-09-21 16:39 ` Tim Gardner [this message]
2004-09-21 17:31 ` Andi Kleen
2004-09-21 17:58 ` Tim Gardner
2004-09-21 18:15 ` Andi Kleen
2004-09-21 20:34 ` Harald Welte
2004-09-21 20:58 ` Tim Gardner
2004-09-22 1:14 ` Harald Welte
2004-09-22 3:31 ` David S. Miller
2004-09-22 11:14 ` Harald Welte
2004-09-24 5:53 ` David S. Miller
2004-09-24 7:14 ` Glen Turner
2004-09-24 5:47 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1095784761.3934.52.camel@tim.rtg.net \
--to=timg@tpi.com \
--cc=laforge@gnumonks.org \
--cc=netdev@oss.sgi.com \
--cc=pekkas@netcore.fi \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).