> >> OpenBSD uses the syncache for TCP sockets in the 3 way handshake to save a > >> lot of work to create a full socket in case of synfloods, etc. > >> These unhatched sockets do not show up in the netstat output. Maybe they > >> should be added but this is the first request that asks for them in the > >> 10+ years we use the syncache. > > > > Thanks for the history of this Claudio. I am not really asking for them > > I just wanted to know where they went. It's good to know that a > > LISTENING tcp socket goes directly to ESTABLISHED in OpenBSD. I would > > have another question though. How would an administrator tell I'm > > getting SYN flooded without the hunch that something is going on and > > jumping on tcpdump and doing packet accounting? How would you determine > > a syn flood? > > Well I'm sure it depends on the attack but good indications are > > packets/sec on your interfaces > packets blocked/sec > number of state table entries > number of state entries created by a rule > counters in pfctl -si
Seconded, counters, graphs, logs, flows, visual observation, knowledge of the networking expected to be normal and not so. Multiple check points, multiple methods of observation, time.
