Now can I hold my breath waiting for vendors to incorporate this stuff into their products? Has anybody heard anything from Sun on this matter? Dima Mike O'Dell writes:
Vern Schriver at SGI has been running experiements and the conclusions are pretty compelling.
Have the listen queue do Random Drop of waiting connections. If the queue size is equal or greater than the attack rate times the expected roud-trip time, the probability of a real session connecting on the first SYN is very close to one.
Note this performs much better than "oldest drop" (aka FIFO).
In his tests, a machine sustained a 1200 SYN/second attack with no observable impact in system performance. With a queue size of 383, from a machine 250 msec round-trip thousands of connections completed with only a handful of initial SYN retransmissions (again, with a 1200 SYN/sec attack).
Best way to make the bogons leave is to make it not fun anymore.
This certainly seems to accomplish the goal.
-mo