Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Nov 1995 21:59:16 +0300
From:      Andrew Timonin <tim@Relcom.EU.net>
To:        Luigi Rizzo <luigi@labinfo.iet.unipi.it>, Ollivier Robert <roberto@keltia.freenix.fr>
Cc:        davidg@Root.COM, hackers@freebsd.org
Subject:   Re: TIME_WAIT and linear chain of TCPCBs (was: ...beat a WEB server to death)
Message-ID:  <WB4qYhmKRz@sssun.spb.su>
In-Reply-To: <199511132341.AAA04886@keltia.freenix.fr>; from Ollivier Robert at Tue, 14 Nov 1995 00:41:57 %2B0100 (MET)
References:  <199511132341.AAA04886@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <199511132341.AAA04886@keltia.freenix.fr> Ollivier Robert
    writes:

>It seems that Luigi Rizzo said:
>> 
>> especially because they do not derive from a bug but from a feature :)
>
>There  was talk  about  something  somewhat  related in  bugtraq about half
>opened connections (SYN_RECV then nothing else) and  the possible denial of
>service...

I still have no time to look in 2.1 sources, but in 2.0.5 there was
a bug in ip_icmp.c in ICMP_UNREACH type processing.
It look like a misprint, you may see it from a diff:

*** ip_icmp.c.orig	Tue May 30 12:09:42 1995
--- ip_icmp.c	Sat Oct 21 13:01:50 1995
***************
*** 240,246 ****
  			case ICMP_UNREACH_PROTOCOL:
  			case ICMP_UNREACH_PORT:
  			case ICMP_UNREACH_SRCFAIL:
! 				code += PRC_UNREACH_NET;
  				break;
  
  			case ICMP_UNREACH_NEEDFRAG:
--- 240,246 ----
  			case ICMP_UNREACH_PROTOCOL:
  			case ICMP_UNREACH_PORT:
  			case ICMP_UNREACH_SRCFAIL:
! 				code = PRC_UNREACH_NET;
  				break;
  
  			case ICMP_UNREACH_NEEDFRAG:

----------------

This may lead to a large number of TCP connections in SYN RECEIVED state,
for ex. on large mail relays when some site without a back route to it is
trying to semd mail to this relay. It sends SYN, which reach relay via
for ex. default route. Relay sends SYN back, but get ICMP_UNREACH as
a reply :-(. But because of this misprint tcp socket will not be closed
as it should be, but will hang waiting for timeout expire.


> -- 
>Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.frmug.fr.net
>   FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Sun Nov 12 16:47:05 MET 1995
-- 
 Andrew A. Timonin	E-mail tim@sssun.spb.su,
   St.Petersburg	phone:	office:  +7 (812) 1106762
	Russia			private: +7 (812) 2540779

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?WB4qYhmKRz>