Hi everyone! Question about "rate limiting" and DoS mitigating features of 2.4's iptables. With iptables, it's possible to limit the acceptance of different types of packets to a certain level, in order to try to mitigate DoS attacks on the box (syn floods, ping floods, etc). I realize that most DoS attacks happen as a result of the CPU being unable to keep up, and not bandwidth limitations, but I'm unsure as to why rate limiting packets works to lessen CPU processing load. Doesn't the kernel still have to use cycles to process the packets before deciding to throw them out, or pass them on? And if so, is the cost savings in terms of CPU load just because they don't get passed to other system facilities which would otherwise respond and use more CPU cycles? Or does this make any sense? :) -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] 1:10pm up 31 days, 23 min, 2 users
