On Fri, 8 Sep 2000, Andi Kleen wrote:
:I forgot to add: Alexey is of course right in that it doesn't help you
:at all. You cannot defend against packet floods, and with an active TCP
:you can be always tricked into bouncing packets without load limit
:(e.g. just by sending out of order packets for an established connection
:or in a zillion other ways)
"At all" is not what I would say. Of course noone is trying to defend
just at the kernel level. But I believe every step to make the linux
kernel less trickable to such exploitation of TCP implementation
"weaknesses", and also trying to make linux kernel behave less like
a TCP flood amplifier, is welcomed (without serious or harmful
"violation" of the protocol).
Untill some other way comes up, I will try out Alan's patch. I believe
it will help a lot, in conjuction with ipfw and some kind of dynamic
manipulation of it.
Thanks Alan Cox and everyone else.
-- George Athanassopoulos http://www.real.macedonia.gr http://www.egnatia.ee.auth.gr
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to firstname.lastname@example.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:31 EST