Hi, > I don't see how. The socket is immediately close()'ed when it hits > "tcp-request > connection reject", this is as cheap as it gets. If you're getting attacked, you try to send as few unnecessary packets as possible, I guess a silent drop could be nice. > > a) HAProxy (configured with rate limiting etc.) does a "tcp-request > > connection reject" which ends up as a TCP RST. The attacker gets the > > RST and immediately again > > Are you saying that an attacker retransmits faster because of the RST? > Thats nonsense, an attacker doesn't care about the RST at all. His tools might care about it, for example if it's an automated SQLi-Test? > > b) the same as a) but the socket will be closed on the server side but no > > RST, > > nothing will be sent back to the remote side. The connections on the remote > > side > > will be kept open until timeout. > > An attacker doesn't keeps states on his local machine if his intention is to > SYN > flood you. I think he's talking about established connections.
- Craig