On Fri, 24 May 2013 06:51:36 -0700 Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > On Fri, 2013-05-24 at 15:16 +0200, Jesper Dangaard Brouer wrote: [...cut...] > > I'm amazed, this patch will actually make it a viable choice to load > > the conntrack modules on a DDoS based filtering box, and use the > > conntracks to protect against ACK and SYN+ACK attacks. > > > > Simply by not accepting the ACK or SYN+ACK to create a conntrack > > entry. Via the command: > > sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 > > > > A quick test show; now I can run a LISTEN process on the port, and > > handle an SYN+ACK attack of approx 2580Kpps (and the same for ACK > > attacks), while running a LISTEN process on the port. > > [...] > > > > Wow, this is very interesting ! > > Did you test the thing when expectations are possible ? (say ftp > module loaded) Nope. I'm not sure how to create a test case, that causes an expectation to be created. > I think we should add RCU in the fast path, instead of having to lock > the expectation lock. Its totally doable. Interesting! :-) -- Best regards, Jesper Dangaard Brouer MSc.CS, Sr. Network Kernel Developer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn: http://www.linkedin.com/in/brouer -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
