> > > Does that mean that everybody can start a DOS attack by simply > > > open(faking) 64000 tcp connections? > > > > http://tools.ietf.org/html/rfc4987 > > > > So what can we do to prevent that? > > Seems syncookies are off by default? > > # cat /proc/sys/net/ipv4/tcp_syncookies > 0
Also found some interesting docs here: http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf According to that, one conn need 288 bytes in conntrack, so 200000 uses 57MB RAM _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
