On Thu, Jun 07, 2001 at 01:10:44PM -0400, Adrian Chung wrote: > Hi everyone! Question about "rate limiting" and DoS mitigating > features of 2.4's iptables. > > With iptables, it's possible to limit the acceptance of different > types of packets to a certain level, in order to try to mitigate DoS > attacks on the box (syn floods, ping floods, etc). > > I realize that most DoS attacks happen as a result of the CPU being > unable to keep up, and not bandwidth limitations, but I'm unsure as to > why rate limiting packets works to lessen CPU processing load. > > Doesn't the kernel still have to use cycles to process the packets > before deciding to throw them out, or pass them on? And if so, is the > cost savings in terms of CPU load just because they don't get passed > to other system facilities which would otherwise respond and use more > CPU cycles? I think that DoS or dDoS are mainly affecting the kernel buffer usage. Especially in case of the SYN flooding. The CPU cycle might also be a problem but checking the packet as it comes in and dropping it is much less CPU intensive as processing and routing the packet. Ramin > > Or does this make any sense? :) > > -- > Adrian Chung (adrian at enfusion-group dot com) > http://www.enfusion-group.com/~adrian > GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 > [rogue.enfusion-group.com] 1:10pm up 31 days, 23 min, 2 users
