[unisog] Quota system based on netflows

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Jan 30 16:41:44 GMT 2007


On Tue, 30 Jan 2007 10:02:30 CST, John Kristoff said:
> Just keep in mind the potential for problems.  If I wanted to DoS a
> student off the net down the hall from me, all I have to do is send
> lots of packets that will solicit a response (and if nothing else,
> ARP'ing for the station's address will work).

Note that this is also possible using the netflow model if you can find a way
to send a spoofed packet - plus has the additional fun of possibly DoS'ing the
netflow handler, because each packet will quite likely generate a totally new
netflow record...

> Additionally, in most insitutions where there is a switch port to the
> student, that initial and perhaps a couple hops farther upstream are
> effectively "free" capacity.  That is, it's paid for and is for all
> practical purposes limitless (since all the good stuff that drives
> people to measure this anyway is usually occurring on apps that run
> up the off-campus link costs).  I would encourage people to work on
> solving the "real problem" as effectively and as simply as possible.

The case can be made that it is *not* "for all practical purposes limitless",
as you're almost *certainly* vastly oversubscribed right there at that first
switch (how many 100mbit ports does it have?  how fast is the uplink? and
how much will the uplink and its upstream router go "oink" if everybody decided
to do something high-bandwidth at once?)

The only thing saving you here is that if there's a "flash crowd" of on-campus
traffic, it will probably be hitting an on-campus server, which will fail under
the load before your network does. (Anybody else had a video/podcast server
fall over when all 900 students in a large class go to download the same
thing at the same time? :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070130/212e3954/attachment.bin 


More information about the unisog mailing list