From owner-freebsd-questions@freebsd.org  Mon Jul 26 20:00:21 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2369967403F
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon, 26 Jul 2021 20:00:21 +0000 (UTC) (envelope-from gray@nxg.name)
Received: from smtp93.ord1c.emailsrvr.com (smtp93.ord1c.emailsrvr.com
 [108.166.43.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GYW4N102Fz3sfB
 for <freebsd-questions@freebsd.org>; Mon, 26 Jul 2021 20:00:19 +0000 (UTC)
 (envelope-from gray@nxg.name)
X-Auth-ID: gray@nxg.name
Received: by smtp20.relay.ord1c.emailsrvr.com (Authenticated sender:
 gray-AT-nxg.name) with ESMTPSA id C299DE018A; 
 Mon, 26 Jul 2021 16:00:11 -0400 (EDT)
From: Norman Gray <gray@nxg.name>
To: "Steve O'Hara-Smith" <steve@sohara.org>,
 Arthur Chance <freebsd@qeng-ho.org>
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Detecting or mitigating syn-flood attacks
Date: Mon, 26 Jul 2021 21:00:10 +0100
X-Mailer: MailMate (1.14r5769)
Message-ID: <EC512AF0-55A4-42E7-90E6-D0AB01455F43@nxg.name>
In-Reply-To: <20210726144238.2245630e959724dc1df1794e@sohara.org>
References: <57893A91-2180-441F-836F-66EAC526FBB8@nxg.name>
 <20210726144238.2245630e959724dc1df1794e@sohara.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Classification-ID: 7093d46d-9735-47d6-b5bf-014781d385fa-1-1
X-Rspamd-Queue-Id: 4GYW4N102Fz3sfB
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of gray@nxg.name designates 108.166.43.93 as
 permitted sender) smtp.mailfrom=gray@nxg.name
X-Spamd-Result: default: False [0.14 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.54)[-0.540]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip4:108.166.43.0/24];
 NEURAL_SPAM_SHORT(0.98)[0.983]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[nxg.name];
 RWL_MAILSPIKE_GOOD(0.00)[108.166.43.93:from];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[108.166.43.93:from];
 RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:19994, ipnet:108.166.0.0/18, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 20:00:21 -0000


Arthur and Steve, hello.

On 26 Jul 2021, at 14:42, Steve O'Hara-Smith wrote:

> 	There's a paper on using syncache for the purpose:

Many thanks, both.

I'll read through that paper carefully, and see if, following Arthur's 
suggestion, there's a way of including net.inet.tcp.syncache.count in 
our monitoring (in particular to try to work out what value of 'count' 
counts as 'a lot').

I'll try to remember to report back here.

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk