On Tue, Nov 25, 2003 at 08:04:11PM -0700, Tim Gardner wrote: > I've been messing with the patch-o-matic/base/dstlimit.patch filter from CVS. Hey, cool. I never made an announcement for that code, but still it seems to get used ;) Be warned that although I have written dstlimit (as contract work), I don't neccessarily agree with what dstlimit does. Ratelimiting of SYN packets (with limit or dstlimit) can only be helpful in a very small subset of all cases. In most cases, you will actually make the situation worse if you do any kind of SYN limiting. The problem is: As soon as you hit the configured limit, you will definitely have a DOS. And chances are good that your configured rate will result in a sooner DOS than without the limit. The only case where ratlimiting of SYN on a firewall will help is: - the service[s] you protect can survive a packet-per-second rate _less_ than the firewall - you know exactly how many packets-per-second (or syn-per-second) your to-be-protected service[s] can handle. In that particular case, you can create a limit rule that allows a few packets/syn's less than your service[s] can handle. The way more common cases is: - your firewall will not handle a higher pps/sps rate than the service[s] you want to protect. in this case an attacker wil DoS your firewall independent of any limits set. > It uses constructs from 2.6 that do not exist in 2.4. please refer to davem's reply. > Tim Gardner - timg@xxxxxxx -- - Harald Welte <laforge@xxxxxxxxxxxx> http://www.gnumonks.org/ ============================================================================ Programming is like sex: One mistake and you have to support it your lifetime
Attachment:
pgp00689.pgp
Description: PGP signature
