From owner-freebsd-security Wed Feb 26 11:32:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA27572 for security-outgoing; Wed, 26 Feb 1997 11:32:25 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA27563 for ; Wed, 26 Feb 1997 11:32:15 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.7.3) with UUCP id MAA11886; Wed, 26 Feb 1997 12:32:05 -0700 (MST) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA01387; Wed, 26 Feb 1997 12:31:50 -0700 (MST) Date: Wed, 26 Feb 1997 12:31:49 -0700 (MST) From: Marc Slemko To: Simon cc: security@FreeBSD.ORG Subject: Re: [SCZ-34647] Patch for SYN flooding In-Reply-To: <199702261818.KAA20073@scruz.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk If you run 2.1-stable or 2.2 it is already there. I think it was in 2.1.6 (err... the second 2.1.6 I think), and it is in 2.1.7. If you run 2.1.x, keeping up to date with the -stable tree is always good. There are few modifications to that tree, but important things like security fixes are made there a lot of the time. It implements oldest early drop, so that when the queue fills up it drops the oldest uncompleted connection. I think it makes a half-hearted attempt at random early drop when the rate gets very high, but that is horribly inefficient and will remain that way until that queue is moved into a hash table from a linked list. Works reasonably well, although you may want to bump up somaxconn and the backlog param in the listen() call of your server depending on your situation. On Wed, 26 Feb 1997, Simon wrote: > Hi, > > We're an ISP in Santa Cruz, California that runs FreeBSD on some of our > servers. We occaisonally experience unintentional SYN flooding attacks > due to uni-directional routing or similar problems. We understand that > there is a patch available that adresses the SYN flooding problem. We > would like to get information about this patch, what it does, > are where we can find it. We'd appreciate any information you can give > us. > > Thanks, > Simon > scruznet network operations > > ----------------------------------------------------------------------------- > Scruz-Net, Inc. * (800) 319-5555 * (408) 457-5050 * FAX: (408) 457-1020 > admin@scruz.net >