[4119] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Pedro Roque Marques)
Tue Aug 20 19:09:55 1996
Date: Tue, 20 Aug 1996 23:14:51 +0100
From: Pedro Roque Marques <roque@di.fc.ul.pt>
To: "Eric Schenk" <schenk@cs.toronto.edu>
Cc: Pedro Roque Marques <roque@di.fc.ul.pt>, linux-net@vger.rutgers.edu
In-Reply-To: <96Aug20.175647edt.15383@dvp.cs.toronto.edu>
>>>>> "Eric" == Eric Schenk <schenk@cs.toronto.edu> writes:
Eric> I'm not sure an "embroyonic state" solves the problem.
Eric> There are two things we want to avoid here: (1) running out
Eric> of memory, (2) having legitimate TCP users locked out.
The idea is to try to reduce the ammount of memory and processing
requirements of a socket in SYN-RECV, allowing you to increase the
number of allowed connection requests.
It is not ment as a solution but rather to raise the water mark higher.
And it targets more the no route back to the host that does a active
open than the attack case.
Eric> So, what did you have in mind that is not covered by this,
Eric> and that does not require some non-compatible extension to
Eric> the TCP protocol?
Only implementation changes.
Eric> Oh yeah, while I'm on the topic, we currently sit in
Eric> SYN_RECV way too long, waiting for a sucessful connect.
Are you sure ? We should repect 793 and 1122.
./Pedro.
