Date: Thu, 20 Dec 2001 23:18:49 -0500 (EST) From: Mike Silbersack <silby@silby.com> To: Jonathan Lemon <jlemon@flugsvamp.com> Cc: <cvs-committers@FreeBSD.org>, <cvs-all@FreeBSD.org> Subject: Re: cvs commit: src/sys/netinet tcp_syncache.c Message-ID: <Pine.BSF.4.30.0112202118500.80717-100000@niwun.pair.com> In-Reply-To: <20011220152243.H26326@prism.flugsvamp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Dec 2001, Jonathan Lemon wrote: > On Thu, Dec 20, 2001 at 03:52:10PM -0500, Mike Silbersack wrote: > > MD5 is only used for outgoing syn-acks if strict rfc1948 mode is enabled > > (which it is not by default); normally, arc4random is used. > > I think you missed the part that said "initial outgoing SYNs". > E.g.: where we are the ones initially establishing the connection. Urk, I did. Sorry. > > I'm rusty on the syncache implementation, so bear with this if it's wrong: > > If you're involved in being synflooded, the cache is going to be mostly > > full. On the other hand, if you're not being flooded, the cache will > > generally be mostly empty. Also, a flood is probably going to go on for a > > while. Hence, if the table's above a certain percent full, you could > > assume that you're should make cookies, because they'll be needed. > > Otherwise, just use arc4random(), and accept that a few connections will > > get dropped right when a flood starts, but that you'll be ok after that. > > Not quite; there is both a table and a bucket limit. Entries can be > overflowed from either one of these. It would be possible to add various > watermarks and change behavior when the watermarks are hit. > -- > Jonathan True, I guess it would be hard to get right (and finish before the already existing code freeze.) So, I guess minimally could you make the sysctl trigger the use arc4random when syncookies are going to disregarded anyway? I think that would be a reasonable feature. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0112202118500.80717-100000>