[strongSwan-dev] DoS protection questions
Tobias Brunner
tobias at strongswan.org
Wed Apr 4 12:12:15 CEST 2018
> Furthermore, I am afraid we actually queue a lot of jobs (more than one) when the counter is decreased by one.
> I think it may be the root problem?
Yes, until the next IKE_SA is checked in packets will be processed.
> The only visible effect is to set a job limit, but since it is global we could prevent high priority jobs to run properly.
It's not a limit on the number of jobs, it's a limit that causes
IKE_SA_INITs to get dropped when the number of jobs exceeds the
configured number.
Regards,
Tobias
More information about the Dev
mailing list