NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SYN flood resilience



On Thu, Dec 31, 2009 at 05:02:40PM +0100, Jean-Yves Migeon wrote:
> On 12/30/09 20:56, Sad Clouds wrote:
> >Does NetBSD employ any methods in its TCP stack to resist SYN flood DoS
> >attacks?
> 
> Yes, syn cache. Very basically, you limit the number of half opened 
> connections, and drop some if you reach a certain threshold.
> 
> >If yes, how effective are those methods? Can they completely resist
> >such attacks?
> 
> No method can _completely_ resist flooding; they can only mitigate the 
> abuse/exploit to a certain extent.

True - but I think we can do better by using the FreeBSD combined
method of SYN cookies (with the extended timestamp options) as well as
SYN caching. They switch to SYN cookies if the SYN cache overflows,
controlled by a sysctl (variable)[*].

If anyone would like to submit patches, that would be really nice...

Best,
Alistair

[*] Sorry, source-changes-disc in-joke.


Home | Main Index | Thread Index | Old Index