On Mon, May 27, 2013 at 02:33:46PM +0200, Jesper Dangaard Brouer wrote: > On Fri, 24 May 2013 06:51:36 -0700 > Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > > > On Fri, 2013-05-24 at 15:16 +0200, Jesper Dangaard Brouer wrote: > [...cut...] > > > I'm amazed, this patch will actually make it a viable choice to load > > > the conntrack modules on a DDoS based filtering box, and use the > > > conntracks to protect against ACK and SYN+ACK attacks. > > > > > > Simply by not accepting the ACK or SYN+ACK to create a conntrack > > > entry. Via the command: > > > sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 > > > > > > A quick test show; now I can run a LISTEN process on the port, and > > > handle an SYN+ACK attack of approx 2580Kpps (and the same for ACK > > > attacks), while running a LISTEN process on the port. > > > > [...] > > > > > > > Wow, this is very interesting ! > > > > Did you test the thing when expectations are possible ? (say ftp > > module loaded) > > Nope. I'm not sure how to create a test case, that causes an > expectation to be created. This is still in my queue, I didn't forget about this. I need to find some spare time to give this a test with expectations enabled and also with conntrackd/state-sync. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
