Thanks Steven,
Out of curiosity is there a hash table, or a way to view such table and
its limits?
Alex
On 05/04/2013 07:34 PM, Steve Kann wrote:
Yes.
If you're keeping track of incoming connections, then the packets generated by the attacker in a SYN Flood connection will end up using ip_conntrack table entries. The whole point of SYNCOOKIES is to have zero stats. If you're getting million+ SYN/sec, you just cannot afford to keep track of them. even with quite efficient data structures, there's only so many you can possibly track.
-SteveK
On May 4, 2013, at 9:27 PM, Alex Flex<aflexzor@xxxxxxxxx> wrote:
Steven,
In other words you are saying that having the following lines in my iptables script defeats the purpose of syn cookies?
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Just confirming.
Thanks
Alex
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
