Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)

• Previous message: Damian Gerow: "Re: [fw-wiz] Spamming, 'hidden' mail server"
• In reply to: Mikael Olsson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)"
• Next in thread: Paul Robertson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)"
• Reply: Paul Robertson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 17 Oct 2003 12:47:51 -0400

On Friday, October 17, 2003, at 11:40 AM, Mikael Olsson wrote:
[ ... ]
> Yes, there are TCP stacks that handle SYN floods much better than
> what I described above (the linux crowd will undoubtedly cheer in with
> "all the world is a linux box!" here), but those that do handle it well
> enough on their own simply don't need the firewall to do SYN flood
> protection for them -- right?

Yes and no. It's becoming more common for systems to handle SYN floods
well via mechanisms like net.inet.tcp.syncookies, but the farther
upstream you can block or apply traffic prioritization/QoS, the better.
  Handling SYN floods at the firewall lets you conserve internal LAN
bandwidth even if your Internet pipe(s) are still going to suffer.

-- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Damian Gerow: "Re: [fw-wiz] Spamming, 'hidden' mail server"
• In reply to: Mikael Olsson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)"
• Next in thread: Paul Robertson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)"
• Reply: Paul Robertson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]