Re: [patch] tcp connection tracking 2.4.19

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Roberto Nibali <ratz@drugphish.ch>
To: Gianni Tedesco <gianni@ecsc.co.uk>
Cc: Martin Renold <martinxyz@gmx.ch>, linux-kernel@vger.kernel.org
Subject: Re: [patch] tcp connection tracking 2.4.19
Date: Thu, 10 Oct 2002 20:06:35 +0200	[thread overview]
Message-ID: <3DA5C1AB.8060708@drugphish.ch> (raw)
In-Reply-To: 1034246310.1489.74.camel@lemsip

>>Fair enough. I thought that last time I checked with the code the SYN 
>>cookie functionality would only kick in _after_ the backlog queue is full.
> > It does. When using syn cookies you cant use some of the new advanced
> features of tcp. Linux uses the backlog queue when not under attack.
> When the queue overflows it just uses cookies - but can still accept
> connections.

That was my understanding so far. So then I haven't gone crazy, thank god.

> I don't think these statements are entirely true. While it is true that
> you can't use things like window scaling or SACK - syncookies 100%
> successfully stop syn flood attacks.

Someone needs to adjust the text then.

> The attack is that if you fill the syn backlog queue with bogus requests
> then legitimate clients can no longer connect. The syn flood attack
> isn't "your legitimate connections wont be able to use window scaling".

I completely agree with this definition of SYN flooding and then I will 
also say that you can 'stop' SYN flooding, well, at least you give 
legitimate clients a real chance to still successfully connect to your 
service, while it is under a SYN flood. I think we agree now. It should 
only be remarked that the line is still flooded, thus the wording "100 
stop SYN flood" is simply inappropriate in my eyes. It's all a matter of 
definition.

Regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

     prev parent reply	other threads:[~2002-10-10 18:01 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-08 20:50 [patch] tcp connection tracking 2.4.19 Martin Renold
2002-10-08 21:06 ` Roberto Nibali
2002-10-09 12:30   ` Gianni Tedesco
2002-10-09 17:25     ` Roberto Nibali
2002-10-10 10:38       ` Gianni Tedesco
2002-10-10 18:06         ` Roberto Nibali [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3DA5C1AB.8060708@drugphish.ch \
    --to=ratz@drugphish.ch \
    --cc=gianni@ecsc.co.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martinxyz@gmx.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox