[PATCH] Increased DoS protection.
bof@oknodo.bof.de
bof@oknodo.bof.de
Fri, 28 Apr 2000 07:52:19 +0200 (MEST)
...
> I never touch connections with traffic both ways (TCP RST packets
> don't count: handled specially in the tcp protocol tracking).
Hmm. How do you do "bothways"? Do you require both-way packets to
be seen, or just look at both sequence number spaces? At least one
of the applications I'm working on, has the potential to route all
packets of the (bulky) route back to the client directly, instead
of the conntracking box:
HTTP browser -> access router -> conntrack box -> maybe WWW Origin server
then
Origin server -> access router -> HTTP Browser
Works so far; please don't break it :)
> code, so we didn't get *worse* here): long term I will implement
> window tracking as per ipfilter, and then I can be more confident that
> a real three-way handshake has occurred, and set a high-confidence bit
> for that connection.
Sounds Good(tm).
Patrick