Re: TCP SYN Cookies for NetBSD

To: tech-net%NetBSD.org@localhost
Subject: Re: TCP SYN Cookies for NetBSD
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Tue, 6 Nov 2012 16:22:20 -0500 (EST)

> And I do think it is better than even when the syn cache overflows,
> the server attempt to keep making connections when possible (when the
> network doesn't drop the retuirning ACK) rather than simply resetting
> all later attempts - that's much better DoS defence.

While I have some issues with the wording (see below), this actually is
a reasonable argument: it's a failure state (in response to an overload
condition) - but it's an attempt to make that failure less drastic than
a crash or silence.

As for the wording, it's not "resetting all later attempts", or at
least if it is I think that too is a bug; it should be "no response to
later attempts".  That's what has traditionally happened when
connection attempts are arriving faster than they can be serviced and I
believe it's a far more appropriate response to such an overload than
RSTs.

Also, it's not just "making connections when possible", with an
implicit "and ignoring them when not"; that would be entirely
reasonable.  It's "making connections when possible (and creating
half-open connections when not)".  I think this is probably outweighed
by the value of the relatively graceful degradation, though.

Most of the rest of this I see no point responding to, because my
responses are basically "you're taking an extremely rare and almost
always highly visible failure case and making it far more common and
less visible" and then arguing that because recovery mechanisms must
exist for the former, they exist for the latter, which is an invalid
argument because recovery mechanisms that work fine for extremely rare
cases are often completely out of the question for relatively common
cases.  But, when it's done only as a more-graceful failure mode in
response to an overload condition in the first place, it stays rare.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: TCP SYN Cookies for NetBSD
  - From: Mouse
- Re: TCP SYN Cookies for NetBSD
  - From: Mouse
- TCP SYN Cookies for NetBSD
  - From: Paul Goyette
- Re: TCP SYN Cookies for NetBSD
  - From: Robert Elz
- Re: TCP SYN Cookies for NetBSD
  - From: Robert Elz

Prev by Date: Re: TCP SYN Cookies for NetBSD
Next by Date: Re: TCP SYN Cookies for NetBSD
Previous by Thread: Re: TCP SYN Cookies for NetBSD
Next by Thread: Re: TCP SYN Cookies for NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index