[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using cookies to defeat syn-flooding



> When A receives the first SYN packet, [...], it sends B, as part of
> its return SYN packet, a "cookie" that contains the information that
> the queue entry would have: 
> 	-- source id of the SYN packet received [...]
> Comments appreciated ...

Such a cookie can only be computed after receipt of the SYN, making
this a time-space tradeoff.  The CPU power of A must be compared to
the bandwidth of its connection to the internet to determine whether
more queue space and random drop of half-open connections is better
than spending cycles on verification of the correpsondent's source
address.
_________________________________________________________
Matt Crawford          crawdad@fnal.gov          Fermilab
  PGP: D5 27 83 7A 25 25 7D FB  09 3C BA 33 71 C4 DA 6A