Subject: Re: tcpdrop for NetBSD
To: Martin Husemann <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 05/11/2005 10:04:40
In message <20050511095146.GD27829@drowsy.duskware.de>, Martin Husemann writes:
>On Wed, May 11, 2005 at 05:22:32AM -0400, D'Arcy J.M. Cain wrote:
>> You have blocked the offending site but now you have
>> a bunch of connections hanging around waiting for a timeout.
>Would you realy go through and kill them? I'd either just wait for them
>to timeout - or restart the attacked service, if I can.
One problem is that state FINWAIT-2 is stable -- you're waiting for the
far side to send a FIN. It will never time out, at least at the TCP
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb