Re: Firewalling and network resource consumption while under attack

Brandon S. Allbery KF8NH (allbery@kf8nh.apk.net)
Mon, 21 Sep 1998 19:02:34 -0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Lang: "Re: Linux, UDI and SCO."
Previous message: david parsons: "Re: NT DDK vs. Linux DDI, a practical comparison [long]"
Maybe in reply to: david: "Firewalling and network resource consumption while under attack"

In message <19980921201047.A616@hal.rnl.ist.utl.pt>, Carlos Morgado writes:
+-----
| On Mon, Sep 21, 1998 at 08:43:06AM -0700, david wrote:
| > If a firewall rule is in place to drop the packet on the floor, should
| > those packets still be allowed to consume the entire network stack?
|
| How do you propose telling what packets to drop *without* looking at them ?
| Frames must be reassembled and backloged while waiting for processing.
+--->8

if (backlog_is_too_large()) {
drop_packet(); /* probably skb_free() */
return;
}

Do this early so you minimize the additional impact.

If the system is being overwhelmed by packets, you don't want to analyze
them; you can either drop them directly or let them congest you and
essentially force you to drop them anyway.

-- 
brandon s. allbery	[os/2][linux][solaris][japh]	 allbery@kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery@ece.cmu.edu
electrical and computer engineering					 KF8NH
carnegie mellon university



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Lang: "Re: Linux, UDI and SCO."
Previous message: david parsons: "Re: NT DDK vs. Linux DDI, a practical comparison [long]"
Maybe in reply to: david: "Firewalling and network resource consumption while under attack"