Firewall Wizards mailing list archives
Re: SYN flood protection strategies (Was: Post connectionSYN)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 17 Oct 2003 18:04:14 +0200
Paul Robertson wrote:
Um, the point wasn't that the N to <N move was necessarily bad, just that you're either stuck with rate limiting of some sort, or a ring buffer of some sort, or you've recreated the problem all over again, just in a different place.
Yeah, if the firewall just hits the wall when the state table fills up, I agree completely. But that'd be a dumb thing to do, now wouldn't it? ;)
I happen to think that rate limits are interesting when applied to this sort of thing, because if you can add additional information (such as originating AS from an radb sort of thing) then you can provide some semblance of QoSishness...
The problem here is applying this logic to 100k+ (heck, make it 1M+) states, while dealing with 100kpps (32Mbit/s) inbound. Too much logic, and you have a CPU crunching DoS which affects _all_ traffic and not just new connections. There's a number of approaches here that aren't too CPU intensive but still result in QoSish behavior, but I'm not in a mood to give away good ideas today >:] -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Post connection SYN Raghuveer (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Mikael Olsson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connectionSYN) Mikael Olsson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)