Date: Sun, 3 Feb 2013 19:09:34 -0500 From: George Neville-Neil <gnn@neville-neil.com> To: net@freebsd.org Subject: A question about SYN cookies... Message-ID: <131E67C7-F336-414E-89C7-535D549443F5@neville-neil.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Howdy, I've been reviewing the SYN cache and SYN cookie code and I'm wondering why we do all the work of generating a SYN cache entry before sending a SYN cookie. If the point of SYN cookies is to defend against a SYN flood then, to my mind, the SYN/ACK for the cookie case should be sent off before doing all the work to try to create and insert a cache entry. Has anyone, as yet, looked at a way to move the sending code earlier into syncache_add() and checked to see if there is a performance improvement when a system is flooded with SYN packets? Best, George [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iEYEARECAAYFAlEO/D4ACgkQYdh2wUQKM9KKggCeJqiQoewbJyjXT9pZTccTDV6X OgAAnRi99xl5OO8TiKlBBM7vQBeZwNA0 =/oqE -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?131E67C7-F336-414E-89C7-535D549443F5>