From owner-cvs-all Wed Jun 6 12:41:57 2001 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9D32537B401; Wed, 6 Jun 2001 12:41:52 -0700 (PDT) (envelope-from jesper@FreeBSD.org) Received: (from jesper@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f56Jfqf74472; Wed, 6 Jun 2001 12:41:52 -0700 (PDT) (envelope-from jesper) Message-Id: <200106061941.f56Jfqf74472@freefall.freebsd.org> From: Jesper Skriver Date: Wed, 6 Jun 2001 12:41:52 -0700 (PDT) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_input.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG jesper 2001/06/06 12:41:52 PDT Modified files: sys/netinet tcp_input.c Log: Silby's take one on increasing FreeBSD's resistance to SYN floods: One way we can reduce the amount of traffic we send in response to a SYN flood is to eliminate the RST we send when removing a connection from the listen queue. Since we are being flooded, we can assume that the majority of connections in the queue are bogus. Our RST is unwanted by these hosts, just as our SYN-ACK was. Genuine connection attempts will result in hosts responding to our SYN-ACK with an ACK packet. We will automatically return a RST response to their ACK when it gets to us if the connection has been dropped, so the early RST doesn't serve the genuine class of connections much. In summary, we can reduce the number of packets we send by a factor of two without any loss in functionality by ensuring that RST packets are not sent when dropping a connection from the listen queue. Submitted by: Mike Silbersack Reviewed by: jesper MFC after: 2 weeks Revision Changes Path 1.131 +15 -2 src/sys/netinet/tcp_input.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message