Subject: Re: tcpdrop for NetBSD
To: Martin Husemann <email@example.com>
From: D'Arcy J.M. Cain <darcy@NetBSD.org>
Date: 05/11/2005 06:42:48
On Wed, 11 May 2005 11:51:46 +0200
Martin Husemann <firstname.lastname@example.org> wrote:
> On Wed, May 11, 2005 at 05:22:32AM -0400, D'Arcy J.M. Cain wrote:
> > You have blocked the offending site but now you have
> > a bunch of connections hanging around waiting for a timeout.
> Would you realy go through and kill them? I'd either just wait for
> them to timeout - or restart the attacked service, if I can.
Well, sure. If my clients were down because of an attack that I have
just blocked and the zombies were using up resources affecting their
ability to get back on I would love to have a way of cleaning up the
trash quickly. I don't want them down any longer than they have to be.
> I agree, however, that ipfilter should imediately drop state for
> connections affected by a new block added. (By magic done in userland,
> of course)
That would work too given that that is the most likely way that a DDOS
would be fixed anyway. However, the blocking is usually done on a
router, not a server so this would still be of limited value.
D'Arcy J.M. Cain <darcy@NetBSD.org>