From owner-freebsd-security  Sun Sep 22 18:14:50 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA24883
          for security-outgoing; Sun, 22 Sep 1996 18:14:50 -0700 (PDT)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA24822
          for <security@FreeBSD.org>; Sun, 22 Sep 1996 18:14:44 -0700 (PDT)
Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.6/8.6.6) with ESMTP id TAA28187; Sun, 22 Sep 1996 19:14:18 -0600 (MDT)
Message-Id: <199609230114.TAA28187@rover.village.org>
To: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: comments on the SYN attack 
Cc: security@FreeBSD.org
In-reply-to: Your message of "Mon, 23 Sep 1996 10:10:44 +1000."
		<199609230010.SAA29579@information-retrieval.village.org> 
References: <199609230010.SAA29579@information-retrieval.village.org>  
Date: Sun, 22 Sep 1996 19:14:18 -0600
From: Warner Losh <imp@village.org>
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199609230010.SAA29579@information-retrieval.village.org> Darren Reed writes:
: so, you're saying something like "if I already have an established
: connection to this source host, try not to drop the half-open state" ?

I hadn't intended to say that...  I was wanting to make the point that
it was expensive to drop insipient half-open connections and that
should be avoided where possible.  In a SYN Bombing scenario, however,
that isn't possible, but it would argue, imho, to be conservative
about what you drop.

Warner