Re: Excellent host SYN-attack fix for BSD hosts

[freedman () netaxs com (Avi Freedman)]

Sorry that I got you so worked up - but realize to those who are religiously
anti-Solaris (for whatever the reason, but let's say the top 2 are "why
should I change the keys my fingers are used to hitting" and "gee, am I
glad I didn't go through the years of horrid, buggy, and slow releases").

And the tone of the announcement was fairly off-putting to those
who do prefer to use SunOS.

Anyway, many of those will probably migrate to NetBSD or other variants
and won't be troubling Sun any more in a few years...

And we'll tell people (especially in the ISP and networking community)
about nice patches and will provide community support for them...

> >  Hopefully Sun will incorporate this into their security announcement, which
> >  basically says you're screwed if you run SunOS, though it does describe
> >  how to increase the queue and decrease the SYN-holding timeout (if you
> >  have source...
>
>       Incorporating it or endorsing it would be problematical for a couple
>       of reasons. Let me state them, then if anybody wants to give me
>       public or private feedback I'd be delighted.

I understand all of your staed reasons.
What I expressed was a hope.
Obviously that hope is baseless.
That's OK, I'm a big boy :)
Physically as well as emotionally.

>       Sorry to go on so long. I guess the good news is that you're
>       getting the answer straight from the horse's mouth, with the
>       bark off and (pretty much) to the point. If anybody can change
>       my mind, I can probably get Avi's suggestion put into practice.
>       Now at least you know we considered this kind of action carefully,
>       and know the most important reasons we rejected it.

We'll probably post source diffs as well and anyone with SunOS source
(you, perhaps :) ) can take a look and decide for yourselves how messy
or interesting it would be to incorporate the changes.

>       I know that this space is not really the place for discussion,
>       but I figured if one person could post my work here and the
>       other could make a (thoughtful) suggestion about it, it wouldn't

Thanks for realizing it was a thoughtful and only slightly pissed-off
suggestion...

>       be out of place for me to respond. I do suggest we take this
>       discussion off line now, though. (And I would appreciate it if
>       this note didn't appear in places I don't choose to put it, as
>       only a few of my other explanations have. Thanks.)
>
>       -mg-

Avi