> (4) Rate limiting. The ability to rate limit incoming and outgoing data
> can prevent certain sorts of DoSes.I am not sure what makes you believe that. The ability to rate limit
incoming data at the server level would definitely not prevent a DoS.The ability to rate limit outgoing data would cause a DoS of anything
other than DoS traffic that is hosted on the server.
It may be good practice to rate limit outgoing ICMP PING replies from your
server to the real world. Kind of like being a good neighbor in the event
of certain types of attacks on other parties.
This can be extended into more specific types of outgoing rate limits.
For example, an ISP DNS recurser that normally serves 1Mbps of traffic
in aggregate but lives on a 1Gbps ethernet might use a per-destination
outgoing limit to restrict the amount of damage that could be inflicted
on a remote DNS server (without affecting other destinations); things
like FreeBSD ipfw/dummynet and Linux (mumble) have these sorts of
capabilities.
I can see some usefulness in rate limiting as a form of sanity
enforcement. Your average switch cannot do the more complex forms in
silicon.
... JG