Date: Mon, 15 Mar 1999 20:03:33 +0200 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: The Tech-Admin Dude <geniusj@phoenix.unacom.com> Cc: questions@FreeBSD.ORG Subject: Re: SYN attacks Message-ID: <19990315200333.A6656@relay.ucb.crimea.ua> In-Reply-To: <Pine.BSF.4.10.9903151249070.29767-100000@phoenix.unacom.com>; from The Tech-Admin Dude on Mon, Mar 15, 1999 at 12:49:56PM -0500 References: <19990315194148.A841@relay.ucb.crimea.ua> <Pine.BSF.4.10.9903151249070.29767-100000@phoenix.unacom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 15, 1999 at 12:49:56PM -0500, The Tech-Admin Dude wrote:
[27 lines deleted]
> > > That looks to be (and as I understood it) for limitting bandwidth
> > > going through a certain device, I dont want to llimit overall bandwidth of
> > > the system, the SYN attacks dont actually take much bandwidth, but they do
> > > take a big chunk of system resources and dont allow anyone else to login
> > > while they are going on..
> >
> > No, you can limit only packets with SYN bit set.
> >
> > For example,
> >
> > ipfw pipe 1 config bw 1Kbit/s
> > ipfw add pipe 1 tcp from any to <your_host> setup via <external_interface>
^^^^^^^^^^^^^^^^^^^^^^^^
>
> Ah ha! :).. One more thing though, if I limit SYN to 1 kbit or 10
> kbit, the SYN would prolly use about that much so would other users still
> have room to connect to the server with him using up all the bandwidth
> designated for SYN packets?
>
See ^^^s above.
--
Ruslan Ermilov Sysadmin and DBA of the
ru@ucb.crimea.ua United Commercial Bank
+380.652.247.647 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990315200333.A6656>