On Tue, Dec 09, 2003 at 09:02:21AM -0700, Michael Gale wrote:
>
> Hello,
>
> First make sure you are using tcpsyn_cookies:
>
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies -- if you have not compiled it into the kernel.
> This will help prevent DOS by assigning each incoming syn packet a cookie instead of a actually
> connection state. A connection state will be created once the three way hand shake is completed.
>
> Second -- you should be dropping all packets on all interfaces and then only allow connections
> you have to pass.
>
Yes.. I'm already doing both of these things. I was thinking of doing some
extra in addition of these.. Sorry I didn't mention about these already.
There are always some connections allowed that can be used to fill up the
state table..
Thanks anyway!
> Michael.
>
-- Pasi Kärkkäinen
^
. .
Linux
/ - \
Choice.of.the
.Next.Generation.
