From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Flex <aflexzor@gmail.com>
Subject: Re: SynFloods and CPU usage with and without iptables. Confused!
Date: Sat, 04 May 2013 20:01:21 -0600
Message-ID: <5185BD71.7050800@gmail.com>
References: <5185444B.3090602@gmail.com> <9a3b8ec43ac420e45247dd70d2a597e1.squirrel@sqrl.metu.edu.tr> <806D468E-D006-41C3-AD0B-DC24747DC05F@stevek.com> <5185B59B.1070407@gmail.com> <16D2B778-173A-426F-A60B-47547EB1F026@stevek.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=5HllCEB7O8+rWtbIN57ScEbNQHZUiWRmenOSu0iZP94=;
        b=qGaXI6jwfSCwYhfC7P86Vfplfpj1QbQ2/1EkzeIPvO3gtTO/WA2DVzczm0zXnjMZef
         1h8aO87eXGsYkMOp1L3RK19RbpVP9aIUtknC7cAP7Zh5X7MlhWxVcOHsWKdIcX1Y0aGm
         O9jEwEGtUFeaKGwauJ0++mzdn2mp0S1/ifiwYeDTb9J27PwfvkhdN0cTFjzIr37KxF9w
         1OUKInR73cnGgFhj8JPHshreNfH+BlE2oE1OV5//M9BmmW3Q7c7DfgtzXaB3FIinIBVL
         7VMPCYTE5/NXWLv9v35CtOvgqMLvXVDpc7H98xF83vGCK0auCX8q/5N2UvaqC4+/nT1Y
         Hvkg==
In-Reply-To: <16D2B778-173A-426F-A60B-47547EB1F026@stevek.com>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: netfilter@vger.kernel.org

Thanks Steven,

Out of curiosity is there a hash table, or a way to view such table and 
its limits?

Alex

On 05/04/2013 07:34 PM, Steve Kann wrote:
> Yes.
>
> If you're keeping track of incoming connections, then the packets generated by the attacker in a SYN Flood connection will end up using ip_conntrack table entries.   The whole point of SYNCOOKIES is to have zero stats.    If you're getting million+ SYN/sec, you just cannot afford to keep track of them. even with quite efficient data structures, there's only so many you can possibly track.
>
> -SteveK
>
>
> On May 4, 2013, at 9:27 PM, Alex Flex<aflexzor@gmail.com>  wrote:
>
>> Steven,
>>
>> In other words you are saying that having the following lines in my iptables script defeats the purpose of syn cookies?
>>
>> /sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>> /sbin/iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>>
>> Just confirming.
>>
>> Thanks
>> Alex
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html