[PATCH] Increased DoS protection.
Fri, 28 Apr 2000 11:38:28 +0930
In message <Pine.GSO.email@example.com> you writ
> On Thu, 27 Apr 2000, Rusty Russell wrote:
> > 3) Do randomish/LRU drop on unreplied connections when we're
> > under stress.
> My 2 cents CDN:
> I just gleaned at the code and must have missed the "randomness"
> in the drops.
> Would you please explain your algorithm (in english)?
This is why I said `randomish': I sweep through the hash table. If
that hash chain doesn't have a likely candidate, I try the hash chain
the new entry is trying to go into (in case they're trying to bomb one
I traverse the hash chain backwards (meaning oldest-creation first),
looking for connections which have only had one-way traffic (this
means no established TCP connections). This approximates LRU (only
approximate because retransmits do not reorder the hash chain).
I never touch connections with traffic both ways (TCP RST packets
don't count: handled specially in the tcp protocol tracking).
This leaves it vulnerable to SYN floods (as is the old masquerading
code, so we didn't get *worse* here): long term I will implement
window tracking as per ipfilter, and then I can be more confident that
a real three-way handshake has occurred, and set a high-confidence bit
for that connection.
Hope that helps,