--E/DnYTRukya0zdZ1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 18, 2004 at 09:42:37PM +0100, Manuel Bouyer wrote:
> On Thu, Mar 18, 2004 at 02:46:14PM +0530, Murhy Paul wrote:
> > [...]
> > >From very little I know there is no definite fail proof solution to sy=
n=20
> > attacks.
> > Best or most widely used being syn cookies / rst cookies ..
> > I was looking at the source code and tcp_input.c file does have all syn=
=20
> > cache handling.
> > But, being new wanted to know if that is on by default.
> > ( version I am looking onto is 1.6.1 .. )
>=20
> As far as I know it's on by default, and was in the 1.6 branch.

Looking at the cvs log for sys/netinet/tcp_input.c, the syn cache has been=
=20
around since 1997, which means it's been in NetBSD since 1.3.

[snip]

> >=20
> > And how well / what is the behaviour of netbsd when a default installat=
ion=20
> > is put in front a spoofed ip syn attack ?
>=20
> I think the developers who implemented the sync cache tested it with
> a flood on a 100Mbs LAN.

Note that the tests were performed in 1997, over 6 years ago. Given the
advances in CPU speeds since then (over 10x seems a fair estimate), it is
reasonable to expect comparable results with a gigabit ethernet connection
today.

Take care,

Bill

--E/DnYTRukya0zdZ1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFAW3nMWz+3JHUci9cRAnb6AJ9HKIx//2oDCOVt7F+oUGgtMWDhowCdGIa9
g4QqSxmLoltS3a6Ipk6+rkw=
=BXzK
-----END PGP SIGNATURE-----

--E/DnYTRukya0zdZ1--