Firewall Wizards mailing list archives

Re: SYN flood protection strategies (Was: Post connection SYN)

From: Chuck Swiger <chuck () codefab com>
Date: Fri, 17 Oct 2003 12:47:51 -0400

On Friday, October 17, 2003, at 11:40 AM, Mikael Olsson wrote:
[ ... ]

Yes, there are TCP stacks that handle SYN floods much better than
what I described above (the linux crowd will undoubtedly cheer in with
"all the world is a linux box!" here), but those that do handle it well
enough on their own simply don't need the firewall to do SYN flood
protection for them -- right?

Yes and no. It's becoming more common for systems to handle SYN floodswell via mechanisms like net.inet.tcp.syncookies, but the fartherupstream you can block or apply traffic prioritization/QoS, the better.Handling SYN floods at the firewall lets you conserve internal LANbandwidth even if your Internet pipe(s) are still going to suffer.


--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Post connection SYN Raghuveer (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
  - Re: Post connection SYN Mikael Olsson (Oct 17)
    - Re: Post connection SYN Paul Robertson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Mikael Olsson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connectionSYN) Mikael Olsson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
  - Re: Post connection SYN Raghuveer (Oct 17)
- Re: Post connection SYN Ravi Kumar (Oct 20)