From mboxrd@z Thu Jan  1 00:00:00 1970
From: William Dauchy <william@gandi.net>
Subject: Re: [PATCH v3 1/3][xen-netback] add a pseudo pps rate
 limit
Date: Tue, 9 Jul 2013 17:19:03 +0200
Message-ID: <20130709151903.GO20956@gandi.net>
References: <1373372649-9029-1-git-send-email-william@gandi.net>
	<1373372649-9029-2-git-send-email-william@gandi.net>
	<1483688847.20130709154850@eikelenboom.it>
	<20130709140117.GN20956@gandi.net>
	<1026657527.20130709164229@eikelenboom.it>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6826453333812744968=="
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1026657527.20130709164229@eikelenboom.it>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Sander Eikelenboom <linux@eikelenboom.it>
Cc: Wei Liu <wei.liu2@citrix.com>, Ian Campbell <Ian.Campbell@citrix.com>, William Dauchy <william@gandi.net>, Ahmed Amamou <ahmed@gandi.net>, xen-devel <xen-devel@lists.xen.org>, Kamel Haddadou <kamel@gandi.net>
List-Id: xen-devel@lists.xenproject.org


--===============6826453333812744968==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="BuBclajtnfx5hylj"
Content-Disposition: inline


--BuBclajtnfx5hylj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jul09 16:42, Sander Eikelenboom wrote:
> Ok so the main usage scenario is not inbound traffic from the outside wor=
ld that issues a (D)DOS,
> but rather a (malicious) guest that could issue a DOS on the host system =
by
> draining the resources of the netback driver by sending many packets per =
second.
> And that this scenario can't be circumvented with netfilter because it do=
esn't come into play yet (on the host).

yes Sander your example perfectly illustrates the worst case.
IMHO it makes sense to filter traffic as soon as possible.
Using netfilter for inbound traffic could make sense but outbound
filtering in netfront would be the best choice; this solution sounds too
risky. For outbound traffic even if the host is not the target of the
DDOS attack, netfilter will consume way more resources in order to stop
the attack.

--=20
William

--BuBclajtnfx5hylj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHcKecACgkQ1I6eqOUidQHPsQCgtYxAYxDZhmGnRE7f+bgr6d0T
OlkAn0+lGAEAkWkKg7UF+aHewMk/2lz0
=JLFo
-----END PGP SIGNATURE-----

--BuBclajtnfx5hylj--


--===============6826453333812744968==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--===============6826453333812744968==--