See Jeff Weisberg's post to nanog yesterday. It can be solved in tcp_input.c, even for tens of thousands of syn packets/second. Just keep no state until the syn/ack comes back (and with a valid hash matching one you would have supplied as an initial seq number). Avi
Dimo laments: > Yep. Life sucks and we all die.
Victor Hugo, _The Hunchback of Notre Dame_ and _Les Miserables_ both inspired by the author seeing the word FATALITY graphically painted on a wall in Paris. (I highly recommend _Les Miserables_) Jean Valjean, the man who, for stealing a loaf of bread to feed a starving family, lives out his entire life in misery... ... hence, FATALITY (set in Paris in the early 1800s)
Anyway .....
I'll drop off unless someone can provide a technical suggestion on an algorithm that will stop high speed TCP SYN attacks in tcp_input.c (otherwise, I'm not moving toward my aim/target)
What is the IPV6 approach to solving this problem? Is there one?
Regards,
Tim