Re: linux kernel TCP, network connections and iptables

Date: Thu Sep 07 2000 - 13:00:38 EST

On Thu, 7 Sep 2000 wrote:
> Hello!
> > - Could there be some kind of handling for such packets (meaning TCP packets
> > reaching at an unused port with ACK bit set - with no previous SYN etc packet)
> > to avoid such DoS attacks? Is the same happening to newer kernels? If yes,
> > should we just eat it and shut up (because that's the way TCP works and it
> > will not change)?
> TCP MUST do this and this cannot be changed.
> > - To do something about the above DoS,...
> By any _formal_ criteria there is no DoS here. You reply with one packet
> to each incoming packet and do not hold any state. Where is DoS?

I believe that the DoS is that the path through the kernel turns out to be
long and that a lot of these packets will bring a machine to its knees.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at

This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:31 EST