On Wed, Aug 04, 1999 at 11:56:24AM +0200, Rogier Wolff wrote: > Lance Spitzner wrote: > > > Also, if they implemented a circular buffer where connections that had > > > been idle the longest were disconnected in favor of new connections their > > > scalability might increase some. > > > > Excellent recommendation, I'll pass it along to Check Point! > > That means I can still DOS a site: If I send 500 packets a second, I > can wrap the connection table in 100 seconds. That means that the > idle-timer is reduced from an hour to less than two minutes. > > The only solution is to only allow the longer timeout once BOTH sides > have sent a packet. I read the original sentance as "Circular buffer for half-open connections". I believe people are misreading the 'idle the longest' portion thinking it was meant to apply to fully open connections. It's not perfect of course, if an abuser can spin the buffer in less than the round trip time for a valid user to open a connection, no new connections can ever be made. (But under that type of flood I can't think of a setup that will perform any better either, aside from detect the flood source, and discard from specific IPs. That can be defeated by using a range of addresses anyway.) -- David Maxwell, davidat_private|davidat_private --> (About an Amiga rendering landscapes) It's not thinking, it's being artistic! - Jamie Woods
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:07 PDT