Kevin Chadwick <[email protected]> writes: > I'd say drop mode saves some resources in case of dos and does slow down > the scan. I don't see timeouts for users connecting to the wrong place > as a big problem at all, though the messages may help them > very occasionally.
For the drop vs return issue there seems to be two schools that never quite agree, but for the DOS cases, the adaptive timeouts will help. For the bruteforcers, there's always overload tables and various forms of special treatment. > I wonder whether a labrea/stutter type option for pf would be cool in > some cases? a tiny queue and pass with some negligible value for probability? - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
