[lug] IP Tables
Nate Duehr
nate at natetech.com
Mon Sep 24 13:41:32 MDT 2007
Sean Reifschneider wrote:
> On Sat, Sep 22, 2007 at 06:32:57PM -0600, Nate Duehr wrote:
>> karl horlen wrote:
>>> rule? if i could do that, i could at least limit the
>>> bandwidth ping attacks consume on my pipe. I know it
>
> Nope, the data has already consumed your traffic. You could only limit the
> response on it. By the time you drop it, it's already consumed your
> bandwidth.
In one direction.
If you have an asymmetric link to the Net, with an uplink speed lower
than downlink (typical residential connection), the downlink side can
still have bandwidth available, but your own replies to a "REJECT" DoS
type of attack can fill the pipe -- breaking most things that are also
using the upstream for TCP ACK's and other "overhead", by causing them
to time-out.
"If in doubt, throw it out." :-)
Nate
More information about the LUG
mailing list