Hi, > I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to > large value (in order to avoid hitting that condition).
I don't think it makes a lot of sense to use block_threshold without cookie_threshold. The cookie mechanism makes sure that a DoS attacker can't create state on the server with a faked sender IP addresses. The block_threshold limits the number of connections once the address has been verified. The block_threshold is useless without cookie_threshold, as an attacker can use faked source addresses that are not covered by the block_threshold mechanism. If you want to limit legitimate connection attempts to a certain level, you might have a look at IKE_SA_INIT dropping [1] that we'll introduce with the next release. Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/JobPriority#IKE_SA_INIT-dropping _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
