Lance Spitzner wrote:
> > Also, if they implemented a circular buffer where connections that had
> > been idle the longest were disconnected in favor of new connections their
> > scalability might increase some.
>
> Excellent recommendation, I'll pass it along to Check Point!
That means I can still DOS a site: If I send 500 packets a second, I
can wrap the connection table in 100 seconds. That means that the
idle-timer is reduced from an hour to less than two minutes.
The only solution is to only allow the longer timeout once BOTH sides
have sent a packet.
Roger.
--
** [EMAIL PROTECTED] ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------
