SYN Flood detection - what are reasonable values
Ian Laurie
iml at zip.com.au
Mon Dec 13 08:14:54 UTC 2004
Some *practical* firewall advice needed from people running
with SYN flood detection rules..... what do you consider
reasonable limit and burst-limit values? The classic textbook
values of 5 and 10 seem unreasonable as in:
-A INP_FLOOD -m limit --limit 5/second --limit-burst 10 -j RETURN
-A INP_FLOOD -j LOG --log-prefix "SYN-FLOOD: "
-A INP_FLOOD -j DROP
These just don't seem to work, especially with NFS active. I'm
currently running with:
-A INP_FLOOD -m limit --limit 10/second --limit-burst 50 -j RETURN
But I'm curious as to what other people are running on their LAN
servers, especially ones running NFS.
Ian
More information about the fedora-list
mailing list