Subject: Re: syn flooding handling ..
To: Murhy Paul <learning_netbsd@hotmail.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: netbsd-help
Date: 03/19/2004 14:53:00
--E/DnYTRukya0zdZ1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Mar 18, 2004 at 09:42:37PM +0100, Manuel Bouyer wrote:
> On Thu, Mar 18, 2004 at 02:46:14PM +0530, Murhy Paul wrote:
> > [...]
> > >From very little I know there is no definite fail proof solution to sy=
n=20
> > attacks.
> > Best or most widely used being syn cookies / rst cookies ..
> > I was looking at the source code and tcp_input.c file does have all syn=
=20
> > cache handling.
> > But, being new wanted to know if that is on by default.
> > ( version I am looking onto is 1.6.1 .. )
>=20
> As far as I know it's on by default, and was in the 1.6 branch.
Looking at the cvs log for sys/netinet/tcp_input.c, the syn cache has been=
=20
around since 1997, which means it's been in NetBSD since 1.3.
[snip]
> >=20
> > And how well / what is the behaviour of netbsd when a default installat=
ion=20
> > is put in front a spoofed ip syn attack ?
>=20
> I think the developers who implemented the sync cache tested it with
> a flood on a 100Mbs LAN.
Note that the tests were performed in 1997, over 6 years ago. Given the
advances in CPU speeds since then (over 10x seems a fair estimate), it is
reasonable to expect comparable results with a gigabit ethernet connection
today.
Take care,
Bill
--E/DnYTRukya0zdZ1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFAW3nMWz+3JHUci9cRAnb6AJ9HKIx//2oDCOVt7F+oUGgtMWDhowCdGIa9
g4QqSxmLoltS3a6Ipk6+rkw=
=BXzK
-----END PGP SIGNATURE-----
--E/DnYTRukya0zdZ1--