On 06/06/16 21:57, Claudio Jeker wrote: > OpenBSD uses the syncache for TCP sockets in the 3 way handshake to save a > lot of work to create a full socket in case of synfloods, etc. > These unhatched sockets do not show up in the netstat output. Maybe they > should be added but this is the first request that asks for them in the > 10+ years we use the syncache. >
Thanks for the history of this Claudio. I am not really asking for them I just wanted to know where they went. It's good to know that a LISTENING tcp socket goes directly to ESTABLISHED in OpenBSD. I would have another question though. How would an administrator tell I'm getting SYN flooded without the hunch that something is going on and jumping on tcpdump and doing packet accounting? How would you determine a syn flood? Regards, -peter
