Date: Fri, 14 May 1999 07:25:46 +0200 From: Harold Gutch <logix@foobar.franken.de> To: Matthew Dillon <dillon@apollo.backplane.com>, Brett Glass <brett@lariat.org> Cc: Jared Mauch <jared@puck.Nether.net>, Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Message-ID: <19990514072546.A20779@foobar.franken.de> In-Reply-To: <199905140438.VAA97604@apollo.backplane.com>; from Matthew Dillon on Thu, May 13, 1999 at 09:38:16PM -0700 References: <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 13, 1999 at 09:38:16PM -0700, Matthew Dillon wrote: > The only way to mitigate the SYN flooding problem on the host side is to > greatly increase the size of the listen queue, but even this does not work > too well. > What about the Linux way of doing it, that is by creating an MD5-hash over the source- and destination IP and port and a secret which is incremented say every minute and using the result as a base for the own sequencenumber. You don't lose a socket before you get the third handshake packet and you can verify the sequencenumber using MD5 again. I found this idea to be quite interesting when reading about it the first time, and I currently don't see any negative side effects from it. The FreeBSD approach (just discarding the oldest socket in SYN_RCVD state when the backlog gets too high) works often enough aswell, but might cause problems if the flooder sends you more SYNs than your backlog can handle in a shorter timeframe than your SYN|ACK needs for it's way back to somebody who tries to establish a normal connection and his answer back to you takes. bye, Harold -- <Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990514072546.A20779>