Howdy, I've been reviewing the SYN cache and SYN cookie code and I'm wondering why we do all the work of generating a SYN cache entry before sending a SYN cookie. If the point of SYN cookies is to defend against a SYN flood then, to my mind, the SYN/ACK for the cookie case should be sent off before doing all the work to try to create and insert a cache entry. Has anyone, as yet, looked at a way to move the sending code earlier into syncache_add() and checked to see if there is a performance improvement when a system is flooded with SYN packets?
Best, George
signature.asc
Description: Message signed with OpenPGP using GPGMail
