NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SYN flood resilience

On 01/02/10 04:29, Alistair Crooks wrote:
If yes, how effective are those methods? Can they completely resist
such attacks?

No method can _completely_ resist flooding; they can only mitigate the
abuse/exploit to a certain extent.

True - but I think we can do better by using the FreeBSD combined
method of SYN cookies (with the extended timestamp options) as well as
SYN caching. They switch to SYN cookies if the SYN cache overflows,
controlled by a sysctl (variable)[*].

Timestamp option requires PMTU no? Isn't it a bit dangerous, considering all the bulky/badly configured routers/fw out there aggressively filtering ICMP?

If anyone would like to submit patches, that would be really nice...

For future reference: someone pointed me off-list (Thomas Galliano, whom I thank for that) to TCP cookie transactions that were recently added to Linux:

The links at the end could be interesting.

Before someone asks: yes, it requires client+server support, contrary to traditional delightful cookies.


Jean-Yves Migeon

Home | Main Index | Thread Index | Old Index