tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TCP SYN Cookies for NetBSD

On Mon, 05 Nov 2012, Paul Goyette wrote:
While at the MeetBSD California un-conference over the weekend, I was approached by the originator of [1]. Looking through the archives, I don't see any replies or discussion, so I was wondering (along with John) if there's any merit to the suggested code/patches? Has anyone with TCP expertise reviewed them at all?

Are these SYN cookies to be used all the time without a SYN cache, or will there also be a finite sized SYN cache to allow the host to avoid violating the TCP protocol (as long as the cache is not full)?

If they are to be used all the time without a SYN cache, then I agree with Mouse that they may cause too much harm. If there is also a SYN cache and the harmful side-effects of SYN cookies arise only when the SYN cache is full, then I think that is acceptable. Exhaustion of a properly-sized SYN cache should be so rare as to occur only when the host is under attack (or something that looks like an attack), and under such circumstances it's acceptable for the host's self-defence measures to inconvenience legitimate clients.

--apb (Alan Barrett)

Home | Main Index | Thread Index | Old Index