Re: SYN flood resilience

[Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>]

On 01/02/10 04:29, Alistair Crooks wrote:
> > > If yes, how effective are those methods? Can they completely resist
> > > such attacks?
> >
> > No method can _completely_ resist flooding; they can only mitigate the
> > abuse/exploit to a certain extent.
>
> True - but I think we can do better by using the FreeBSD combined
> method of SYN cookies (with the extended timestamp options) as well as
> SYN caching. They switch to SYN cookies if the SYN cache overflows,
> controlled by a sysctl (variable)[*].

Timestamp option requires PMTU no? Isn't it a bit dangerous, considering 
all the bulky/badly configured routers/fw out there aggressively 
filtering ICMP?

> If anyone would like to submit patches, that would be really nice...

For future reference: someone pointed me off-list (Thomas Galliano, whom 
I thank for that) to TCP cookie transactions that were recently added to 
Linux:

http://en.wikipedia.org/wiki/TCP_Cookie_Transactions

The links at the end could be interesting.

Before someone asks: yes, it requires client+server support, contrary to 
traditional delightful cookies.

Cheers!

--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost