From: Mike Silbersack [mailto:[EMAIL PROTECTED] > On Sat, 28 Feb 2004, Don Bowman wrote: > > > You could use ipfw to limit the damage of a syn flood, e.g. > > a keep-state rule with a limit of ~2-5 per source IP, lower the > > timeouts, increase the hash buckets in ipfw, etc. This would > > use a mask on src-ip of all bits. > > something like: > > allow tcp from any to any setup limit src-addr 2 > > > > this would only allow 2 concurrent TCP sessions per unique > > source address. Depends on the syn flood you are expecting > > to experience. You could also use dummynet to shape syn > > traffic to a fixed level i suppose. > > Does that really help? If so, we need to optimize the syncache. :(
In a real-world situation, with some latency from the originating syn-flood attacker, the syncache behaves fine. In a synthetic test situation like this, with probably ~0 latency from the initiator, the syncache gets overwhelmed too. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
