Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 May 1999 16:14:48 -0600
From:      Brett Glass <brett@lariat.org>
To:        Harold Gutch <logix@foobar.franken.de>, Matthew Dillon <dillon@apollo.backplane.com>
Cc:        Jared Mauch <jared@puck.Nether.net>, Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
Subject:   Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
Message-ID:  <4.2.0.37.19990514161228.046541f0@localhost>
In-Reply-To: <19990515001018.A22645@foobar.franken.de>
References:  <4.2.0.37.19990514154319.04610b80@localhost> <199905140438.VAA97604@apollo.backplane.com> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> <19990514225001.A22317@foobar.franken.de> <4.2.0.37.19990514154319.04610b80@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 12:10 AM 5/15/99 +0200, Harold Gutch wrote:

 >Why should we do anything at all ? Our current tactic (simply
>dropping sockets in SYN_RCVD state) if a certain backlog fills up
>and another SYN comes in seems to work quite well. You'll get in
>trouble though if the flooder manages to flush through the
>complete backlog in a timeframe shorter than the 2nd and the 3rd
>packet of the handshake take for the way back to the client and
>back to the server again.

You can still mount an effective DoS with a SYN flood by killing a
LARGE percentage of the new connections to the box.

 > It may also depend on the complexity of your routing tables.
> >
>1 loopback-route, 2 host routes, 2 network routes and a
>default-route. Not much, but I could add a number of bogus routes
>and try to crash the box then by SYN-flooding it.
>
>How many routes should I add ?

I'm not sure. It also may depend on whether the table is in flux.
See the original BUGTRAQ message which points out the bug.

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.37.19990514161228.046541f0>