From owner-freebsd-net@FreeBSD.ORG Mon Feb 4 01:40:26 2013 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 74B04D04 for ; Mon, 4 Feb 2013 01:40:26 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from vps.hungerhost.com (vps.hungerhost.com [216.38.53.176]) by mx1.freebsd.org (Postfix) with ESMTP id 4D6853DE for ; Mon, 4 Feb 2013 01:40:26 +0000 (UTC) Received: from pool-96-250-5-62.nycmny.fios.verizon.net ([96.250.5.62]:56104 helo=minion.home) by vps.hungerhost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80) (envelope-from ) id 1U2B2i-0003T6-B0 for net@freebsd.org; Sun, 03 Feb 2013 20:40:20 -0500 From: George Neville-Neil Content-Type: multipart/signed; boundary="Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: A question about SYN cookies... Message-Id: <131E67C7-F336-414E-89C7-535D549443F5@neville-neil.com> Date: Sun, 3 Feb 2013 19:09:34 -0500 To: net@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) X-Mailer: Apple Mail (2.1499) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vps.hungerhost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - neville-neil.com X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id: gnn@neville-neil.com X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2013 01:40:26 -0000 --Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Howdy, I've been reviewing the SYN cache and SYN cookie code and I'm wondering = why we do all the work of generating a SYN cache entry before sending a SYN cookie. If the = point of SYN cookies is to defend against a SYN flood then, to my mind, the SYN/ACK for the cookie = case should be sent off before doing all the work to try to create and insert a cache entry. Has = anyone, as yet, looked at a way to move the sending code earlier into syncache_add() and checked to see = if there is a performance improvement when a system is flooded with SYN packets? Best, George --Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iEYEARECAAYFAlEO/D4ACgkQYdh2wUQKM9KKggCeJqiQoewbJyjXT9pZTccTDV6X OgAAnRi99xl5OO8TiKlBBM7vQBeZwNA0 =/oqE -----END PGP SIGNATURE----- --Apple-Mail=_6DA9CCF7-4CE7-4C7E-BDE2-267DE4398129--