From: "Robert A. Hayden"
What about doing some priority-based QoS? If a single IP exceeds X amount of traffic, prioritize traffic above that threshold as low. It would keep any one single host from saturating a link if the threshold is low.
For example, you may say that each IP is limited to 10mb of prioirty traffic. Yes, a compromised host may try to barf out 90mb of chaff, but the excess would be moved down the totem pole.
<snip> Down the totem pole isn't off the totem pole. In most cases the issue wasn't traffic priority. Most network equipment isn't designed to handle 100% capacity from all ports. Under standard operation, maximum capacity is never reached. It is cost prohibitive to support it. In addition, this was a dual issue. Not only did the bandwidth saturate, the packets are so small that in reaching for 100% saturation, many routers and switches first exceeded their maximum pps thresholds. The best defense is to monitor and know your traffic. When traffic becomes uncommon, someone needs to be alerted. A 30% processor increase is not a good thing; ever. Second, know the optimizations for your particular equipment and code. Each piece of equipment has it's own optimizations. In my case, it was better to access-list at the router level than to run bandwidth limiting, and I run a crummy 7200. It's even nicer on a 7500+ where it's offloaded to the linecard processors. If a portion of the network or a specific port is unrecoverable, shut it down. The server won't be able to handle traffic anyways, and it is better to cut off a portion of the network than lose the entire network. Jack Bates Network Engineer BrightNet Oklahoma