From owner-freebsd-security  Thu May 13 22:26:54 1999
Delivered-To: freebsd-security@freebsd.org
Received: from foobar.franken.de (foobar.franken.de [194.94.249.81])
	by hub.freebsd.org (Postfix) with ESMTP id 71B90154C8
	for <security@FreeBSD.ORG>; Thu, 13 May 1999 22:26:49 -0700 (PDT)
	(envelope-from logix@foobar.franken.de)
Received: (from logix@localhost)
	by foobar.franken.de (8.8.8/8.8.5) id HAA20794;
	Fri, 14 May 1999 07:25:46 +0200 (CEST)
Message-ID: <19990514072546.A20779@foobar.franken.de>
Date: Fri, 14 May 1999 07:25:46 +0200
From: Harold Gutch <logix@foobar.franken.de>
To: Matthew Dillon <dillon@apollo.backplane.com>,
	Brett Glass <brett@lariat.org>
Cc: Jared Mauch <jared@puck.Nether.net>,
	Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
References: <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199905140438.VAA97604@apollo.backplane.com>; from Matthew Dillon on Thu, May 13, 1999 at 09:38:16PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, May 13, 1999 at 09:38:16PM -0700, Matthew Dillon wrote:
>     The only way to mitigate the SYN flooding problem on the host side is to
>     greatly increase the size of the listen queue, but even this does not work
>     too well.
> 
What about the Linux way of doing it, that is by creating an
MD5-hash over the source- and destination IP and port and a
secret which is incremented say every minute and using the result
as a base for the own sequencenumber.

You don't lose a socket before you get the third handshake
packet and you can verify the sequencenumber using MD5 again.

I found this idea to be quite interesting when reading about it
the first time, and I currently don't see any negative side
effects from it.

The FreeBSD approach (just discarding the oldest socket in
SYN_RCVD state when the backlog gets too high) works often enough
aswell, but might cause problems if the flooder sends you more
SYNs than your backlog can handle in a shorter timeframe than
your SYN|ACK needs for it's way back to somebody who tries to
establish a normal connection and his answer back to you takes.

bye,
  Harold

-- 
<Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein.
Wed Mar  4 04:53:33 CET 1998   #unix, ircnet


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message