D-Link NetDefend DFL-210 User Manual page 231

10.1.6. Grouping Users of a Pipe
Measuring and shaping at the entrance of a choke point
If you are protecting the "entrance" to a network bottleneck, i.e. outbound data in your firewall, you
can probably set the total limit very close to the bandwidth of your connection.
Measuring and shaping at the exit of a choke point
If you're protecting the "exit" of a network bottleneck, i.e. inbound data in your firewall, you should
probably set it a bit lower than the bandwidth of your connection. There are two risks involved in
setting your limits so that they exactly match your inbound bandwidth:
• In the worst-case scenario, you could have a few stray packets per second consuming a fraction
of your connection's bandwidth. As a result, your pipes will never think that they are full.
• There is also a much more real risk of having throttling adjustments taking too long a time, as
the pipe will only see a "little" overload. If there is only a slight overload, then only slight ad-
justments will be made. This may result in very slow adaptations to new precedence distribu-
tions, possibly as slow as half a minute.
• Then, of course, there is the risk for connection overload. As you are shaping at the exit of the
bottleneck, you have no control over what actually enters the bottleneck. As long as you are
shaping well-behaved TCP, your traffic shaper will work, and even if internal clients stress the
connection by sending phony ACKs, or whatever, they will not get much out of it, as the traffic
shaper will just keep queuing packets destined for them.
However, shaping at the exit of a bottleneck does not protect against resource exhaustion attacks,
such as DDoS or other floods. If someone is just bombarding you, they can overload your connec-
tion, and your traffic shaper cannot do anything about it. Sure, it will keep these extraneous packets
from reaching the computers behind the shaper, but it will not protect your connection, and if your
connection gets flooded, the attacker has won.
Some ISPs allow co-location, so if you believe that flooding is a realistic threat to you, you should
consider co-locating your traffic shaper at the Internet side of your connection.
Bandwidth can't be guaranteed without knowing the available bandwidth
For any traffic shaper to work, it needs to know the bandwidth passing through the choke point that
it is trying to "protect".
If you are sharing your internet connection with other users or servers that are not under the control
of your firewall, it is nearly impossible to guarantee, prioritize or balance bandwidth, simply be-
cause the firewall won't know how much bandwidth is available for your network. Simple limits
will of course work, but guarantees, priorities and dynamic balancing will not.
Watch for leaks!
If you set out to protect and shape a network bottleneck, make sure that all traffic passing through
that bottleneck passes through your pipes.
If there's traffic going through your Internet connection that the pipes do not know about, they will
not know when the Internet connection is full.
The problems resulting from leaks are exactly the same as in the cases described above. Traffic
"leaking" through your firewall without being measured by your pipes will have the same effect as
bandwidth consumed by parties outside of your control but sharing the same connection as you.
218
Chapter 10. Traffic Management