Sindarina, Finder of Edge Cases

I'm listening to the Con Law podcast, and it occurs to me that 'House Unamerican' makes for an excellent name. Band, rah rah, but you could also drop it into SF/F as something like 'House Unameric' or similar.

Like, hell no. It has not been forgotten. It is known how you behave when criticised, you have not fixed that, you do not want to fix it ... but you come to me for a cookie? Fuck that performative allyship that wants to fix others, but skips yourself.

Which often includes the coopting of language. Like, an old friend of mine sent me an email this week touting his ally achievements, as something positive, when the last thing that happened between us was negative, related, and something he wants to 'agree to disagree' on

And the problem with that is that, if you see both, or more often more than 'both', it is a totally obvious pattern, and one that ruins any trust that they may have built on that side, because they show all the resistant behaviour with that same tenacity.

It's kind of amazing how often people show that they are making an effort to ditch certain habits in one area, making decent progress, and then absolutely, totally fuck it up on another axis, and digging in if that's pointed out to them. Like, you are doing the thing, again.

Especially against that monolithic Java backend that was supposed to be a fleet of microservices

Seriously, rate limiting is ops magic. Against adversaries both foreign and domestic. Like those mobile developers who can't seem to wrap their heads around the fact that opening dozens of connections at once as soon as the app wakes up is not a solid strategy.

Anyone remember the Zeus web server? Their URL is still in the 'ab' bench testing tool, and it's been jacked for goodness knows how long by now. I am having a tiny, tiny sad over this.

The secret, when doing it at the packet level, is to not just rate limit the incoming connections, but also the responding packets, since keepalive means you can jam a ton of requests across a single connection

Of course it turns out that you can just skip the individual TCP flag filters, and just catch all the invalid packets via a single connection tracking rule; "ct state invalid counter drop"

Basically, it turns this; "-p tcp --tcp-flags SYN,RST SYN,RST" into this; "tcp flags & syn|rst == syn|rst" which then becomes this; "tcp flags & (syn | rst) | rst == syn | rst" when what you need is this; "tcp flags & (syn|rst) == syn|rst" Lovely syntax, isn't it?

And here's the XKCD https://xkcd.com/979/