Re: linux kernel TCP, network connections and iptables

From: George Athanassopoulos (
Date: Thu Sep 07 2000 - 18:18:22 EST

On Fri, 8 Sep 2000, Andi Kleen wrote:

:I forgot to add: Alexey is of course right in that it doesn't help you
:at all. You cannot defend against packet floods, and with an active TCP
:you can be always tricked into bouncing packets without load limit
:(e.g. just by sending out of order packets for an established connection
:or in a zillion other ways)

  "At all" is not what I would say. Of course noone is trying to defend
  just at the kernel level. But I believe every step to make the linux
  kernel less trickable to such exploitation of TCP implementation
  "weaknesses", and also trying to make linux kernel behave less like
  a TCP flood amplifier, is welcomed (without serious or harmful
  "violation" of the protocol).
  Untill some other way comes up, I will try out Alan's patch. I believe
  it will help a lot, in conjuction with ipfw and some kind of dynamic
  manipulation of it.

  Thanks Alan Cox and everyone else.

George Athanassopoulos

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:31 EST