[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SYN flood resilience
On 01/02/10 04:29, Alistair Crooks wrote:
If yes, how effective are those methods? Can they completely resist
No method can _completely_ resist flooding; they can only mitigate the
abuse/exploit to a certain extent.
True - but I think we can do better by using the FreeBSD combined
method of SYN cookies (with the extended timestamp options) as well as
SYN caching. They switch to SYN cookies if the SYN cache overflows,
controlled by a sysctl (variable)[*].
Timestamp option requires PMTU no? Isn't it a bit dangerous, considering
all the bulky/badly configured routers/fw out there aggressively
If anyone would like to submit patches, that would be really nice...
For future reference: someone pointed me off-list (Thomas Galliano, whom
I thank for that) to TCP cookie transactions that were recently added to
The links at the end could be interesting.
Before someone asks: yes, it requires client+server support, contrary to
traditional delightful cookies.
Main Index |
Thread Index |