SYN flooding -- drop policies

Vadim Antonov writes:

Mike O'Dell suggested using drop oldest in some situations.

Unfortunately it is about as good as RED if source of good
SYNs is deterministic and is *much* worse then RED if it
is bursty.

Not really true untill traffic levels become very high. You have to
keep in mind that legitimate half open connections very fast (with a
couple of RTTs at most) become fully open connections, whereas the
illegitimate connections tend to hang out for the full 75
seconds. Drop oldest in most cases is equivalent to cutting back the
maximum timeout, which in practice drops only the illegitimate entries
in the queue.

Random drop becomes useful with the characteristics of connections
being dropped and connections being kept start becoming similar --
that is, when the queue fills in less than an RTT or two. At that
point, RED like algorithms start to shine.

The question of what max. queue length is the best remains
pretty much open; as well as how it interacts with back-off
SYN retransmissions.

The new Borman code for 4.4lite2 allows you to accomodate a queue with
tens of thousands of half open connections with comparitively little
memory used. I think its a reasonable approach, modulo the fact that
it actually doesn't allow strict oldest drop.