On Thu, Jun 07, 2001 at 01:10:44PM -0400, Adrian Chung wrote:
> Hi everyone! Question about "rate limiting" and DoS mitigating
> features of 2.4''s iptables.
>
> With iptables, it''s possible to limit the acceptance of different
> types of packets to a certain level, in order to try to mitigate DoS
> attacks on the box (syn floods, ping floods, etc).
>
> I realize that most DoS attacks happen as a result of the CPU being
> unable to keep up, and not bandwidth limitations, but I''m unsure
as to
> why rate limiting packets works to lessen CPU processing load.
>
> Doesn''t the kernel still have to use cycles to process the packets
> before deciding to throw them out, or pass them on? And if so, is the
> cost savings in terms of CPU load just because they don''t get
passed
> to other system facilities which would otherwise respond and use more
> CPU cycles?
I think that DoS or dDoS are mainly affecting the kernel buffer usage.
Especially in case of the SYN flooding. The CPU cycle might also be a
problem but checking the packet as it comes in and dropping it is much
less CPU intensive as processing and routing the packet.
Ramin
>
> Or does this make any sense? :)
>
> --
> Adrian Chung (adrian at enfusion-group dot com)
> http://www.enfusion-group.com/~adrian
> GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
> [rogue.enfusion-group.com] 1:10pm up 31 days, 23 min, 2 users