Date: Tue, 24 Sep 1996 03:08:58 +0930 (CST) From: Peter Childs <pjchilds@imforei.apana.org.au> To: msmith@atrad.adelaide.edu.au (Michael Smith), freebsd-security@freebsd.org, newton@cleese.apana.org.au Subject: Re: SYN flood attack thoughts Message-ID: <199609231738.DAA00493@al.imforei.apana.org.au>
next in thread | raw e-mail | index | archive | help
Mike Smith wrote... : Mark Newton stands accused of saying: : > Nathan Lawson wrote: : > : > > I have not tested this hybrid algorithm yet, but would appreciate input. : > : > Input, eh? Would a few million SYNs do? :-) : It's amusing that while all this pissing and moaning was going on, John : Capo did the testing required to actually prove or disprove the various : theories, and someone (PST?) committed the results. The commitlogs say it all. IMHO with the sysctl changes added (and bought into the -stable tree) and the listendrop stats all these changes should provide enuff starting ammo for the sysadmin under attack. I guess time will tell :) pst 96/09/20 14:25:23 Modified: sys/netinet tcp_input.c Log: If the incomplete listen queue for a given socket is full, drop the oldest entry in the queue. There was a fair bit of discussion as to whether or not the proper action is to drop a random entry in the queue. It's my conclusion that a random drop is better than a head drop, however profiling this section of code (done by John Capo) shows that a head-drop results in a significant performance increase. There are scenarios where a random drop is more appropriate. If I find one in reality, I'll add the random drop code under a conditional. Obtained from: discussions and code done by Vernon Schryver (vjs@sgi.com). Revision Changes Path 1.49 +18 -5 src/sys/netinet/tcp_input.c Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609231738.DAA00493>