Hello,
For minimizing effects of SYN flood attacks, is there
a way in PF to limit the number of possible
"half-open" TCP connections to protect servers
offering public services from SYN flood attacks from
spoofed IP source addresses?
Turning on PF synproxy filter rule flag and choosing
aggressive timeouts seems a good defense against SYN
flood attacks, but I was curious if there are any
options similar to some commercial firewall vendors,
where after a configured maximum threshold of
"half-open" connections is exceeded, new connection
setup requests cause an existing (either the oldest or
random) half-open TCP connection to be dropped (with
the corresponding RST to the server to clear the
entry) before any new connection is allowed through.
Is overwhelming the system (by causing generation of
RST's) a pitfall of such an approach and hence the
reason not to implement it?
Appreciate your time. Thanks a lot.
- Alberto Alesina
__________________________________________
Yahoo! DSL Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
