On Fri, 01 Jun 2007 23:34:02 +0200
Martijn Lievaart <m@rtij.nl> wrote:
> > Then your original description was incorrect or at least inadequate. It has
> > nothing to do with SYN as originally suggested since an ESTABLISHED
> > connection has blown past SYN, through SYN/ACK and by ACK. It has completed
> > the TCP handshake, as you note above. A SYN attack/flood would stop after
> > sending the initial SYN and leave the connection half-open to exhaust the
> > half-open buffers.
> >
>
> An connection is in the ESTABLISHED state once a packet has been seen.
> So once the SYN is seen, the state is ESTABLISHED.
I think you meant "So once the SYN is seen, the state is NEW".
The state will change to ESTABLISHED as soon as netfiletr sees the SYN+ACK
response.
My 2 cents.
Cheers.
Ethy
|