Date: Mon, 29 Nov 1999 13:01:08 -0600 From: Guy Helmer <ghelmer@scl.ameslab.gov> To: "Mark D. Anderson" <mda@discerning.com> Cc: freebsd-hackers@freebsd.org Subject: Re: SYN flood and freebsd? Message-ID: <Pine.SGI.4.20.9911291235480.17464-100000@demios.scl.ameslab.gov> In-Reply-To: <3271662348.943869500@MDAXKE>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Nov 1999, Mark D. Anderson wrote: > i've searched around deja and freebsd.org and come up wanting > (email archives show rarely show resolutions...). > > what is the current status in stable and latest regarding > defense against SYN flood, and how is it implemented? > > i found some discussion regarding the inadequacy of the "SYN cookie" > defense added to linux -- i couldn't make out whether that > fix has actually been withdrawn from linux or not. > i also didn't find an explanation of exactly what was bad about > it -- something about firewalls or NAT. > see for example: > http://x41.deja.com/getdoc.xp?AN=491586304&CONTEXT=942635225.1891434518&hitnum=26 I can't comment about the SYN-cookie approach, since I haven't heard about its pitfalls. > and openbsd has apparently settled on a random dropping of > old half-open connections. > > appreciate some clarification on this, as well as pointers > to where answers to things like this might be found, for > those of us who don't want to run grep through kernel sources. There was some discussion about this on freebsd-net or freebsd-hackers in September 1996 which can be reviewed by using the mail list search page at http://www.freebsd.org/search/search.html. Anyway, the CVS history gives the definitive answer for which you are looking. The pages at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c and http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/uipc_socket2.c shows that random drop was implemented (see tcp_input.c versions 1.54 & 1.55 and uipc_socket2.c versions 1.15 & 1.16). Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu Teaching Assistant, ComS 652 Distributed Operating Systems http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.4.20.9911291235480.17464-100000>