Appendix - MAD Limiter
MAD Limiter is a security tool designed to mitigate Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks targeting the management node.
It achieves this by dropping MADs targeting QP1 based on the receive rate of each node (identified by source LID addresses) within the network.
This feature enhances network stability and security, particularly in high-traffic environments.
DoS/DDoS Protection: Automatically identifies and limits excessive packet rates from individual nodes to protect the management node.
Source-Based Rate Limiting: Operates by monitoring and controlling traffic based on the source LID address of each node.
Hardware Compatibility: The MAD Limiter requires NVIDIA ConnectX-7 adapter cards for operation.
Container Deployment: To run the MAD Limiter in a containerized environment, the container must be started by root.
Event Logging: The current version does not generate Unified Fabric Manager (UFM) events with details of nodes exceeding the rate limits. This feature is planned for a future release.
MAD Limiter is disabled by default. To enable this feature, please follow these instructions:
Open the UFM configuration file located at
/opt/ufm/files/conf/gv.cfg.Change the parameter
mad_limiter_enabledfrom false to true.Restart the UFM service by executing the following command:
systemctl restart ufm-enterprise
The default limits of MAD Limiter are designed to ensure that telemetry tools, such as ibdiagnet, operate without experiencing a slowdown. However, adjustments to these limits can be made by following the steps outlined below:
Access the configuration file for MAD Limiter located at
/opt/ufm/files/conf/mad_limiter/config.cfg.Modify the parameter
global_rate_limitto set the overall rate of MADs from all nodes.Adjust the parameter
node_rate_limitto control the rate of MADs originating from a single node.Alter the parameter
node_rate_shared_limitto regulate the burst capacity of MADs from an individual node.