On 07/06/16 10:35, Peter J. Philipp wrote:
On 06/06/16 21:57, Claudio Jeker wrote:
OpenBSD uses the syncache for TCP sockets in the 3 way handshake to save a
lot of work to create a full socket in case of synfloods, etc.
These unhatched sockets do not show up in the netstat output. Maybe they
should be added but this is the first request that asks for them in the
10+ years we use the syncache.
Thanks for the history of this Claudio. I am not really asking for them
I just wanted to know where they went. It's good to know that a
LISTENING tcp socket goes directly to ESTABLISHED in OpenBSD. I would
have another question though. How would an administrator tell I'm
getting SYN flooded without the hunch that something is going on and
jumping on tcpdump and doing packet accounting? How would you determine
a syn flood?
Regards,
-peter
Well I'm sure it depends on the attack but good indications are
packets/sec on your interfaces
packets blocked/sec
number of state table entries
number of state entries created by a rule
counters in pfctl -si
G
