Subject: Re: tcpdrop for NetBSD
To: Martin Husemann <>
From: Steven M. Bellovin <>
List: tech-net
Date: 05/11/2005 10:04:40
In message <>, Martin Husemann writes:
>On Wed, May 11, 2005 at 05:22:32AM -0400, D'Arcy J.M. Cain wrote:
>> You have blocked the offending site but now you have
>> a bunch of connections hanging around waiting for a timeout.
>Would you realy go through and kill them? I'd either just wait for them
>to timeout - or restart the attacked service, if I can.

One problem is that state FINWAIT-2 is stable -- you're waiting for the 
far side to send a FIN.  It will never time out, at least at the TCP 

		--Prof. Steven M. Bellovin,