(4) Rate limiting. The ability to rate limit incoming and outgoing data can prevent certain sorts of DoSes.
I am not sure what makes you believe that. The ability to rate limit incoming data at the server level would definitely not prevent a DoS.
The ability to rate limit outgoing data would cause a DoS of anything other than DoS traffic that is hosted on the server.
It may be good practice to rate limit outgoing ICMP PING replies from your server to the real world. Kind of like being a good neighbor in the event of certain types of attacks on other parties. This can be extended into more specific types of outgoing rate limits. For example, an ISP DNS recurser that normally serves 1Mbps of traffic in aggregate but lives on a 1Gbps ethernet might use a per-destination outgoing limit to restrict the amount of damage that could be inflicted on a remote DNS server (without affecting other destinations); things like FreeBSD ipfw/dummynet and Linux (mumble) have these sorts of capabilities. I can see some usefulness in rate limiting as a form of sanity enforcement. Your average switch cannot do the more complex forms in silicon. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.