Not many packets dropping might be ok. In fact, I'd expect it (and only would worry if most of the flood came back with ACKs).
SYN floods try to starve your memory resources by keeping TCP connections half open and wait for the timeout to sweep them out. But SYN cookies prevent that. So as long as memory allocation doesn't skyrocket when you don't see packet drops, that's a-ok.
Andrew
On Jun 27, 2017, at 3:19 PM, lleachii--- via 44Net 44net@hamradio.ucsd.edu wrote:
Andrew,
Yes, I noticed that my device is actually blocking the traffic by implementing SYN Cookies and SYN Flood firewall rules. It was logged by the system, but no SYN_Floods made it through.
Further inspecting the firewall, only 5 packets in over 20,000 were dropped. Perhaps the SYN Flood setting is too sensitive for a series of multiple DNS queries at the same time. The "block SYN Flood" setting is pre-built by LEDE, so I'll have to review the rules as they pertain to behavior with TCP DNS queries.
- KB3VWG
So not sure if your concern is primarily about the SYN flood or something else, but the system tuning in SYN cookies is a great thing. Essentially it's a challenge-response for the users to do the heavy lifting before the host goes through the motions to set up a TCP flow and consume resources. Essentially this limits the 3WS to completing only for valid connections.
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net