Date: Sun, 3 Feb 2013 19:09:34 -0500 From: George Neville-Neil <gnn@neville-neil.com> To: net@freebsd.org Subject: A question about SYN cookies... Message-ID: <131E67C7-F336-414E-89C7-535D549443F5@neville-neil.com>
next in thread | raw e-mail | index | archive | help
--Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Howdy, I've been reviewing the SYN cache and SYN cookie code and I'm wondering = why we do all the work of generating a SYN cache entry before sending a SYN cookie. If the = point of SYN cookies is to defend against a SYN flood then, to my mind, the SYN/ACK for the cookie = case should be sent off before doing all the work to try to create and insert a cache entry. Has = anyone, as yet, looked at a way to move the sending code earlier into syncache_add() and checked to see = if there is a performance improvement when a system is flooded with SYN packets? Best, George --Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iEYEARECAAYFAlEO/D4ACgkQYdh2wUQKM9KKggCeJqiQoewbJyjXT9pZTccTDV6X OgAAnRi99xl5OO8TiKlBBM7vQBeZwNA0 =/oqE -----END PGP SIGNATURE----- --Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?131E67C7-F336-414E-89C7-535D549443F5>