Firewall Wizards mailing list archives
Re: SYN flood protection strategies (Was: Post connection SYN)
From: Chuck Swiger <chuck () codefab com>
Date: Fri, 17 Oct 2003 12:47:51 -0400
On Friday, October 17, 2003, at 11:40 AM, Mikael Olsson wrote: [ ... ]
Yes, there are TCP stacks that handle SYN floods much better than what I described above (the linux crowd will undoubtedly cheer in with "all the world is a linux box!" here), but those that do handle it well enough on their own simply don't need the firewall to do SYN flood protection for them -- right?
Yes and no. It's becoming more common for systems to handle SYN floods well via mechanisms like net.inet.tcp.syncookies, but the farther upstream you can block or apply traffic prioritization/QoS, the better. Handling SYN floods at the firewall lets you conserve internal LAN bandwidth even if your Internet pipe(s) are still going to suffer.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Post connection SYN Raghuveer (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Mikael Olsson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connectionSYN) Mikael Olsson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)