On 12/13/05, Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > Insertion and > removal of state entries is costly, if you set pf up to insert a state > for every single SYN and remove one for every single RST, you're exposing > yourself to a DoS attack where an attacker floods you with SYNs and > RSTs like that.
This reminds me, one company I worked for got SYN flooded, and thus started dropping SYNs. So they enabled Linux SYN cookies, which involve an MD5 computation for each SYN it receives, and that succeeded in making the machines completely unresponsive, even to traffic on other ports like TCP/22. Apparently it's a bad idea to compute MD5 in kernel space on old Linux kernels (non-preemptible) for every SYN you receive. -- http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1) "My love for mathematics is like 1/x as x approaches 0." GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B