A question about SYN cookies...
George Neville-Neil
gnn at neville-neil.com
Mon Feb 4 01:40:26 UTC 2013
Howdy,
I've been reviewing the SYN cache and SYN cookie code and I'm wondering why we do all the work
of generating a SYN cache entry before sending a SYN cookie. If the point of SYN cookies is to
defend against a SYN flood then, to my mind, the SYN/ACK for the cookie case should be sent off before
doing all the work to try to create and insert a cache entry. Has anyone, as yet, looked at a way
to move the sending code earlier into syncache_add() and checked to see if there is a performance
improvement when a system is flooded with SYN packets?
Best,
George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20130203/3002a844/attachment.sig>
More information about the freebsd-net
mailing list