Subject: Re: tcpdrop for NetBSD
To: Martin Husemann <martin@duskware.de>
From: D'Arcy J.M. Cain <darcy@NetBSD.org>
List: tech-net
Date: 05/11/2005 06:42:48
On Wed, 11 May 2005 11:51:46 +0200
Martin Husemann <martin@duskware.de> wrote:
> On Wed, May 11, 2005 at 05:22:32AM -0400, D'Arcy J.M. Cain wrote:
> > You have blocked the offending site but now you have
> > a bunch of connections hanging around waiting for a timeout.
> 
> Would you realy go through and kill them? I'd either just wait for
> them to timeout - or restart the attacked service, if I can.

Well, sure.  If my clients were down because of an attack that I have
just blocked and the zombies were using up resources affecting their
ability to get back on I would love to have a way of cleaning up the
trash quickly.  I don't want them down any longer than they have to be.

> I agree, however, that ipfilter should imediately drop state for
> connections affected by a new block added. (By magic done in userland,
> of course)

That would work too given that that is the most likely way that a DDOS
would be fixed anyway.  However, the blocking is usually done on a
router, not a server so this would still be of limited value.

-- 
D'Arcy J.M. Cain <darcy@NetBSD.org>
http://www.NetBSD.org/