Switches (and other network devices) can cause TCP senders to rate limit their transmissions, and can do so without even being aware of TCP per se. This[0] page does a good job of explaining it in detail, but the gist of it is that TCP implementations try to match their transmission rate to the capacity of the underlying network by maintaining a congestion window: a sender starts sending slowly, gradually ramping up its transmit rate as long as no packet loss is observed, but quickly and drastically reduces its transmit rate when packet loss occurs.
This is behavior is manipulated by non-targeted congestion control schemes like Random Early Detect and targeted schemes like traffic policing and shaping.
Beyond consuming slow path resources, you might also be interested in SYN cookies to mitigate state-table exhaustion attacks.
Note that UDP, by itself, does not respond to loss in the same way. Any congestion control would have to be implemented at the application level, although policing / shaping are frequently applied to UDP traffic with good effect.
One minor nitpick, though: these tools are generally, but not always, effective at mitigating single-source DoS attacks. For volumetric DDoS, they don’t really work at all. For those, you need a provider, like Cloudflare or Akamai who can divert the malicious traffic away from your network. By the time the end network receives those packets, the damage is almost always done - it really doesn’t matter if you drop or forward at that point, if 100% of your Internet connection is filled with malicious traffic.
This is behavior is manipulated by non-targeted congestion control schemes like Random Early Detect and targeted schemes like traffic policing and shaping.
Beyond consuming slow path resources, you might also be interested in SYN cookies to mitigate state-table exhaustion attacks.
Note that UDP, by itself, does not respond to loss in the same way. Any congestion control would have to be implemented at the application level, although policing / shaping are frequently applied to UDP traffic with good effect.
One minor nitpick, though: these tools are generally, but not always, effective at mitigating single-source DoS attacks. For volumetric DDoS, they don’t really work at all. For those, you need a provider, like Cloudflare or Akamai who can divert the malicious traffic away from your network. By the time the end network receives those packets, the damage is almost always done - it really doesn’t matter if you drop or forward at that point, if 100% of your Internet connection is filled with malicious traffic.
[0] - https://witestlab.poly.edu/blog/tcp-congestion-control-basic...