From: bert hubert <ahu@ds9a.nl>
To: jamal <hadi@cyberus.ca>
Cc: Lennert Buytenhek <buytenh@gnu.org>, Marc Boucher <marc@mbsi.ca>,
netdev@oss.sgi.com
Subject: Re: [PATCH,RFC] explicit connection confirmation
Date: Fri, 8 Nov 2002 12:52:05 +0100 [thread overview]
Message-ID: <20021108115205.GA20549@outpost.ds9a.nl> (raw)
In-Reply-To: <Pine.GSO.4.30.0211080605410.14675-100000@shell.cyberus.ca>
On Fri, Nov 08, 2002 at 06:22:00AM -0500, jamal wrote:
> > There was a thread about this in private mail round April this year,
> > in which some good points were raised.
>
> There are some good points; however, whats the app for this feature?
This came up a long time ago on bugtraq in a discussion how to easily
prevent certain IP addresses from DoSsing your TCP daemon. Right now,
userspace is always forced to complete the threeway handshake, and can only
then close the socket.
Even rather small amounts of SYN packets can thus easily saturate a server
which has decided to handle only 100 connections AND has decided to ignore a
certain IP address. Some inetd superservers contain code to ratelimit IP
addresses which sadly is not as effective from userspace as it could be with
the ability to RST a connection immediately.
It also allows userspace to simulate that a service isn't even there,
without root capabilities.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Software & Services
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
next prev parent reply other threads:[~2002-11-08 11:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-07 9:32 [PATCH,RFC] explicit connection confirmation Lennert Buytenhek
2002-11-07 11:27 ` bert hubert
2002-11-07 12:09 ` Lennert Buytenhek
2002-11-07 13:36 ` jamal
2002-11-07 15:27 ` Lennert Buytenhek
2002-11-08 11:22 ` jamal
2002-11-08 11:52 ` bert hubert [this message]
2002-11-08 11:56 ` Marc Boucher
2002-11-08 18:28 ` Lennert Buytenhek
2002-11-07 13:49 ` bert hubert
2002-11-07 14:30 ` Lennert Buytenhek
2002-11-07 16:24 ` bert hubert
2003-08-14 13:11 ` Lennert Buytenhek
2003-08-25 11:09 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021108115205.GA20549@outpost.ds9a.nl \
--to=ahu@ds9a.nl \
--cc=buytenh@gnu.org \
--cc=hadi@cyberus.ca \
--cc=marc@mbsi.ca \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).