Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy, or... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

swalberg on Aug 14, 2012 | parent | context | favorite | on: CloudFlare helps save Wikileaks' bacon

Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy, or a device in front of it, could take care of that. Only connections that complete the 3 way handshake would take up any room in the connection table.

0 - http://tools.ietf.org/html/rfc4987

blibble on Aug 14, 2012 [–]

it's just the sheer amount of packets hitting our network that cause the issue, not what is inside them!

Dylan16807 on Aug 14, 2012 | [–]

I don't understand. Why is it simple to filter UDP but not simple to filter based on a cookie? Is the validation cpu-expensive in bulk? Do you not have the capability to filter that way at the boundary?

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact