From owner-freebsd-security Thu Sep 12 17:15:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA14778 for security-outgoing; Thu, 12 Sep 1996 17:15:25 -0700 (PDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA14767; Thu, 12 Sep 1996 17:15:23 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199609130015.RAA14767@freefall.freebsd.org> Subject: Re: SYN attacks To: brandon@glacier.cold.org (Brandon Gillespie) Date: Thu, 12 Sep 1996 17:15:22 -0700 (PDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: from "Brandon Gillespie" at Sep 12, 96 04:16:51 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Brandon Gillespie wrote: > > I am basically without knowledge in regard to TCP protocols. What I'm > wondering is how succeptible FreeBSD is to the SYN flooding attacks like > those that took down panix.com? A patch to the linux kernel came out in > the magazine '2600' which enabled one to do the SYN flooding, so I suspect > its going to become more common. Somebody mentioned a patch for BSD > style kernels from Avi Freedman of NetAxs.com. there are two steps that you can take: -get the patch from problem report 1600 -decrease the value of TCPTV_KEEP_INIT from 75*PR_SLOWHZ to, say 10*PR_SLOWHZ. this was suggested by Karl Denniger (sp?) of MCS in chicago. i have included the patch below. Index: tcp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.46 diff -c -2 -r1.46 tcp_input.c *** tcp_input.c 1996/05/02 05:54:12 1.46 --- tcp_input.c 1996/09/12 00:32:50 *************** *** 451,455 **** */ tp->t_idle = 0; ! tp->t_timer[TCPT_KEEP] = tcp_keepidle; /* --- 451,456 ---- */ tp->t_idle = 0; ! if (TCPS_HAVEESTABLISHED(tp->t_state)) ! tp->t_timer[TCPT_KEEP] = tcp_keepidle; /* *************** *** 833,839 **** tp->t_flags &= ~TF_NEEDFIN; tiflags &= ~TH_SYN; ! } else tp->t_state = TCPS_ESTABLISHED; ! } else { /* --- 834,841 ---- tp->t_flags &= ~TF_NEEDFIN; tiflags &= ~TH_SYN; ! } else { tp->t_state = TCPS_ESTABLISHED; ! tp->t_timer[TCPT_KEEP] = tcp_keepidle; ! } } else { /* *************** *** 860,865 **** tp->t_state = TCPS_FIN_WAIT_1; tp->t_flags &= ~TF_NEEDFIN; ! } else tp->t_state = TCPS_ESTABLISHED; tp->t_flags |= TF_NEEDSYN; } else --- 862,869 ---- tp->t_state = TCPS_FIN_WAIT_1; tp->t_flags &= ~TF_NEEDFIN; ! } else { tp->t_state = TCPS_ESTABLISHED; + tp->t_timer[TCPT_KEEP] = tcp_keepidle; + } tp->t_flags |= TF_NEEDSYN; } else *************** *** 1184,1189 **** tp->t_state = TCPS_FIN_WAIT_1; tp->t_flags &= ~TF_NEEDFIN; ! } else tp->t_state = TCPS_ESTABLISHED; /* * If segment contains data or ACK, will call tcp_reass() --- 1188,1195 ---- tp->t_state = TCPS_FIN_WAIT_1; tp->t_flags &= ~TF_NEEDFIN; ! } else { tp->t_state = TCPS_ESTABLISHED; + tp->t_timer[TCPT_KEEP] = tcp_keepidle; + } /* * If segment contains data or ACK, will call tcp_reass()