Date: Tue, 27 Dec 2005 00:48:23 -0800 (PST) From: Alberto Alesina <aalesina@yahoo.com> To: freebsd-pf@freebsd.org Subject: tracking half-open connections Message-ID: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello, For minimizing effects of SYN flood attacks, is there a way in PF to limit the number of possible "half-open" TCP connections to protect servers offering public services from SYN flood attacks from spoofed IP source addresses? Turning on PF synproxy filter rule flag and choosing aggressive timeouts seems a good defense against SYN flood attacks, but I was curious if there are any options similar to some commercial firewall vendors, where after a configured maximum threshold of "half-open" connections is exceeded, new connection setup requests cause an existing (either the oldest or random) half-open TCP connection to be dropped (with the corresponding RST to the server to clear the entry) before any new connection is allowed through. Is overwhelming the system (by causing generation of RST's) a pitfall of such an approach and hence the reason not to implement it? Appreciate your time. Thanks a lot. - Alberto Alesina __________________________________________ Yahoo! DSL – Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051227084823.28384.qmail>