On Fri, Nov 08, 2002 at 06:22:00AM -0500, jamal wrote:
> > There was a thread about this in private mail round April this year,
> > in which some good points were raised.
>
> There are some good points; however, whats the app for this feature?
This came up a long time ago on bugtraq in a discussion how to easily
prevent certain IP addresses from DoSsing your TCP daemon. Right now,
userspace is always forced to complete the threeway handshake, and can only
then close the socket.
Even rather small amounts of SYN packets can thus easily saturate a server
which has decided to handle only 100 connections AND has decided to ignore a
certain IP address. Some inetd superservers contain code to ratelimit IP
addresses which sadly is not as effective from userspace as it could be with
the ability to RST a connection immediately.
It also allows userspace to simulate that a service isn't even there,
without root capabilities.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Software & Services
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
|