freebsd-nq/sys/netinet
Jesper Skriver 65f28919b3 Silby's take one on increasing FreeBSD's resistance to SYN floods:
One way we can reduce the amount of traffic we send in response to a SYN
flood is to eliminate the RST we send when removing a connection from
the listen queue.  Since we are being flooded, we can assume that the
majority of connections in the queue are bogus.  Our RST is unwanted
by these hosts, just as our SYN-ACK was.  Genuine connection attempts
will result in hosts responding to our SYN-ACK with an ACK packet.  We
will automatically return a RST response to their ACK when it gets to us
if the connection has been dropped, so the early RST doesn't serve the
genuine class of connections much.  In summary, we can reduce the number
of packets we send by a factor of two without any loss in functionality
by ensuring that RST packets are not sent when dropping a connection
from the listen queue.

Submitted by:	Mike Silbersack <silby@silby.com>
Reviewed by:	jesper
MFC after:	2 weeks
2001-06-06 19:41:51 +00:00
..
libalias Add BSD-style copyright headers 2001-06-04 15:09:51 +00:00
accf_data.c Remove headers not needed. 2000-10-07 23:15:17 +00:00
accf_http.c Fix incorrect logic wouldn't disconnect incomming connections that had been 2001-01-03 19:50:23 +00:00
fil.c fix conflicts 2001-02-04 14:26:56 +00:00
icmp6.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
icmp_var.h Clean up RST ratelimiting. Previously, ratelimiting occured before tests 2001-02-11 07:39:51 +00:00
if_atm.c udp IPv6 support, IPv6/IPv4 tunneling support in kernel, 1999-12-07 17:39:16 +00:00
if_atm.h Add $FreeBSD$ 2000-05-01 20:32:07 +00:00
if_ether.c Add a missing m_pullup() before a mtod() in in_arpinput(). 2001-03-27 12:34:58 +00:00
if_ether.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
if_fddi.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
igmp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
igmp.c Add #include <machine/in_cksum.h>, in order to pick up the checksum 2000-05-06 18:19:58 +00:00
igmp.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
in_cksum.c $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
in_gif.c Another round of the <sys/queue.h> FOREACH transmogriffer. 2001-02-04 16:08:18 +00:00
in_gif.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
in_hostcache.c Convert more malloc+bzero to malloc+M_ZERO. 2000-12-08 21:51:06 +00:00
in_hostcache.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_pcb.c Fix a style(9) nit. 2001-03-16 19:36:23 +00:00
in_pcb.h Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
in_proto.c Make netstat(1) to be aware of divert(4) sockets. 2000-08-03 14:09:52 +00:00
in_rmx.c In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
in_systm.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_var.h In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
in.c In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
in.h IPv4 address is not unsigned int. This change introduces in_addr_t. 2001-03-23 18:59:31 +00:00
ip6.h remove m_pulldown statistics, which is highly experimental and does not 2000-07-12 16:39:13 +00:00
ip_auth.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_auth.h fix conflicts from rcsids 2000-10-26 12:33:42 +00:00
ip_compat.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_divert.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
ip_dummynet.c Sync with the bridge/dummynet/ipfw code already tested in stable. 2001-02-10 00:10:18 +00:00
ip_dummynet.h MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
ip_ecn.c sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
ip_ecn.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
ip_encap.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
ip_encap.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
ip_fil.c While I'm here, get rid of (now useless) MCLISREFERENCED and use MEXT_IS_REF 2000-11-11 23:05:59 +00:00
ip_fil.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_flow.c Back out the previous change to the queue(3) interface. 2000-05-26 02:09:24 +00:00
ip_flow.h Back out the previous change to the queue(3) interface. 2000-05-26 02:09:24 +00:00
ip_frag.c fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_frag.h fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_ftp_pxy.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_fw.c pipe/queue are the only consumers of flow_id, so only set it in those cases 2001-04-06 06:52:25 +00:00
ip_fw.h Introduce a new feature in IPFW: Check of the source or destination 2001-02-13 14:12:37 +00:00
ip_icmp.c MFC candidate. 2001-03-28 14:13:19 +00:00
ip_icmp.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_id.c Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets. 2001-06-01 10:02:28 +00:00
ip_input.c Prevent denial of service using bogus fragmented IPv4 packets. 2001-06-03 23:33:23 +00:00
ip_log.c resolve conflicts 2000-08-13 04:31:06 +00:00
ip_mroute.c Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets. 2001-06-01 10:02:28 +00:00
ip_mroute.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_nat.c fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_nat.h fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_output.c Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets. 2001-06-01 10:02:28 +00:00
ip_proxy.c fix conflicts 2000-05-24 04:21:35 +00:00
ip_proxy.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_raudio_pxy.c Fix conflicts creted by import. 2000-10-29 07:53:05 +00:00
ip_rcmd_pxy.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_state.c fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_state.h fix conflicts from rcsids 2000-10-26 12:33:42 +00:00
ip_var.h Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets. 2001-06-01 10:02:28 +00:00
ip.h IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
ipl.h fix conflicts 2001-02-04 14:26:56 +00:00
ipprotosw.h activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
mlfk_ipl.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
raw_ip.c Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets. 2001-06-01 10:02:28 +00:00
tcp_debug.c sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
tcp_debug.h Sorry in this just befor code freeze commit. 2000-01-29 11:49:07 +00:00
tcp_fsm.h Undo rev 1.10, which took out TH_FIN from the CLOSING state. This 1999-11-07 04:18:30 +00:00
tcp_input.c Silby's take one on increasing FreeBSD's resistance to SYN floods: 2001-06-06 19:41:51 +00:00
tcp_output.c Undo part of the tangle of having sys/lock.h and sys/mutex.h included in 2001-05-01 08:13:21 +00:00
tcp_reass.c Silby's take one on increasing FreeBSD's resistance to SYN floods: 2001-06-06 19:41:51 +00:00
tcp_seq.h Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_subr.c Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_timer.c Disable rfc1323 and rfc1644 TCP extensions if we havn't got 2001-05-31 19:24:49 +00:00
tcp_timer.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
tcp_timewait.c Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_usrreq.c Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_var.h Randomize the TCP initial sequence numbers more thoroughly. 2001-04-17 18:08:01 +00:00
tcp.h o Minor style(9)ism to make consistent with -STABLE 2001-01-09 18:26:17 +00:00
tcpip.h Remove struct full_tcpiphdr{}. 2001-02-26 20:10:16 +00:00
udp_usrreq.c Count and show incoming UDP datagrams with no checksum. 2001-03-13 13:26:06 +00:00
udp_var.h remove unused data structure definition, and corresponding macro into*() 2001-02-18 07:10:03 +00:00
udp.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00