[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] SYN flooding
- Subject: Re: [cobalt-developers] SYN flooding
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Tue Mar 26 23:22:38 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
> Date: Tue, 26 Mar 2002 22:10:44 +0100
> From: Nico Meijer <nico.meijer@xxxxxxxxx>
> I did that a couple of times and it didn't work for me at
> all. I blocked the 'offending' IPs thru ipchains and logged all
> data coming in from those. Hardly what you would call a
> flood. You couldn't flood a 300bps modem with that traffic.
SYN flood != traffic flood
Anyone else been around long enough to remember how Panix was hit
by a SYN flood? A dialup user nearly shut them down.
No, SYN floods work by flooding the kernel with requests to open
TCP connections, until it just plain runs out. If someone sends
a 3 kB/s stream of minimally-sized TCP/SYN packets, your machine
will be bombarded by several hundred SYN requests per second.
Multiply that by the timeout period... LOTS of half-open sockets.
I rather like how OpenBSD handles (IIRC) SYN floods. It simply
uses a RED-like algorithm to replace a half-open socket with the
new attempt. Pretty slick, IMHO.
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.