|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
On Jul09 16:42, Sander Eikelenboom wrote: > Ok so the main usage scenario is not inbound traffic from the outside world > that issues a (D)DOS, > but rather a (malicious) guest that could issue a DOS on the host system by > draining the resources of the netback driver by sending many packets per > second. > And that this scenario can't be circumvented with netfilter because it > doesn't come into play yet (on the host). yes Sander your example perfectly illustrates the worst case. IMHO it makes sense to filter traffic as soon as possible. Using netfilter for inbound traffic could make sense but outbound filtering in netfront would be the best choice; this solution sounds too risky. For outbound traffic even if the host is not the target of the DDOS attack, netfilter will consume way more resources in order to stop the attack. -- William Attachment:
signature.asc _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |