Date: Fri, 27 Sep 1996 21:47:22 +0400 (MSD) From: apg@demos.net (Paul Antonov) To: hackers@freebsd.org Subject: patch against SYN floods (RED impl.) Message-ID: <qSgC1JoeM1@dream.demos.su>
next in thread | raw e-mail | index | archive | help
Here's my quick patch for 2.1.0 kernel (although it will fit for
2.1.5 either) implementing Random Early Drop for tcp listen queues.
I've tested in on SYN attacks with over 1000pps rate, and it works
reasonably well.
*** tcp_input.c.orig Fri Sep 27 14:53:03 1996
--- tcp_input.c Fri Sep 27 21:35:32 1996
***************
*** 396,405 ****
}
#endif
if (so->so_options & SO_ACCEPTCONN) {
! register struct tcpcb *tp0 = tp;
! so = sonewconn(so, 0);
! if (so == 0)
! goto drop;
/*
* This is ugly, but ....
*
--- 396,412 ----
}
#endif
if (so->so_options & SO_ACCEPTCONN) {
! register struct tcpcb *tp0 = tp;
! register struct socket *so0 = so;
! void tcp_sodrop();
!
! so = sonewconn(so0, 0);
! if (so == 0) {
! tcp_sodrop(so0, ti);
! so = sonewconn(so0, 0);
! if (so == 0)
! goto drop;
! }
/*
* This is ugly, but ....
*
***************
*** 1654,1659 ****
--- 1661,1699 ----
(void) soabort(so);
return;
#ifndef TUBA_INCLUDE
+ }
+
+ /*
+ * Simple RED (Random Early Drop) implementation against SYN floods.
+ */
+ void
+ tcp_sodrop(so, ti)
+ struct socket *so;
+ struct tcpiphdr *ti;
+ {
+ extern struct timeval time;
+ struct tcpcb *tp;
+ struct inpcb *inp;
+ int rnd;
+
+ /* pseudo-random function */
+ rnd = (unsigned int) (ti->ti_seq + time.tv_usec / 33) %
+ so->so_q0len;
+ for (inp = tcb.lh_first; inp; inp = inp->inp_list.le_next) {
+ tp = intotcpcb(inp);
+ if (!tp || inp->inp_lport != ti->ti_dport)
+ continue;
+ rnd--;
+ if (tp->t_state != TCPS_SYN_RECEIVED)
+ continue;
+ if (rnd <= 0) {
+ tp->t_timer[TCPT_KEEP] = 0;
+ (void) tcp_usrreq(tp->t_inpcb->inp_socket,
+ PRU_SLOWTIMO, (struct mbuf *)0,
+ (struct mbuf *) TCPT_KEEP, (struct mbuf *)0);
+ return;
+ }
+ }
}
void
-------
-- Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?qSgC1JoeM1>