From owner-freebsd-hackers  Sat Nov 18 11:01:38 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id LAA13282
          for hackers-outgoing; Sat, 18 Nov 1995 11:01:38 -0800
Received: from sssun.spb.su (news.spb.su [193.124.83.67])
          by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id LAA13272
          for <hackers@freebsd.org>; Sat, 18 Nov 1995 11:01:30 -0800
Received: by sssun.spb.su id AA16324
  (5.65.kiae-1 ); Sat, 18 Nov 1995 21:59:18 +0300
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>,
        Ollivier Robert <roberto@keltia.freenix.fr>
Cc: davidg@Root.COM, hackers@freebsd.org
References: <199511132341.AAA04886@keltia.freenix.fr>
In-Reply-To: <199511132341.AAA04886@keltia.freenix.fr>;
    from Ollivier Robert at Tue, 14 Nov 1995 00:41:57 +0100 (MET)
Message-Id: <WB4qYhmKRz@sssun.spb.su>
Organization: RELCOM Corp., St.Petersburg
Date: Sat, 18 Nov 1995 21:59:16 +0300
From: Andrew Timonin <tim@Relcom.EU.net>
Reply-To: tim@sssun.spb.su
Subject: Re: TIME_WAIT and linear chain of TCPCBs (was: ...beat a WEB
    server to death)
Lines: 52
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Length: 1750
Sender: owner-hackers@freebsd.org
Precedence: bulk

In message <199511132341.AAA04886@keltia.freenix.fr> Ollivier Robert
    writes:

>It seems that Luigi Rizzo said:
>> 
>> especially because they do not derive from a bug but from a feature :)
>
>There  was talk  about  something  somewhat  related in  bugtraq about half
>opened connections (SYN_RECV then nothing else) and  the possible denial of
>service...

I still have no time to look in 2.1 sources, but in 2.0.5 there was
a bug in ip_icmp.c in ICMP_UNREACH type processing.
It look like a misprint, you may see it from a diff:

*** ip_icmp.c.orig	Tue May 30 12:09:42 1995
--- ip_icmp.c	Sat Oct 21 13:01:50 1995
***************
*** 240,246 ****
  			case ICMP_UNREACH_PROTOCOL:
  			case ICMP_UNREACH_PORT:
  			case ICMP_UNREACH_SRCFAIL:
! 				code += PRC_UNREACH_NET;
  				break;
  
  			case ICMP_UNREACH_NEEDFRAG:
--- 240,246 ----
  			case ICMP_UNREACH_PROTOCOL:
  			case ICMP_UNREACH_PORT:
  			case ICMP_UNREACH_SRCFAIL:
! 				code = PRC_UNREACH_NET;
  				break;
  
  			case ICMP_UNREACH_NEEDFRAG:

----------------

This may lead to a large number of TCP connections in SYN RECEIVED state,
for ex. on large mail relays when some site without a back route to it is
trying to semd mail to this relay. It sends SYN, which reach relay via
for ex. default route. Relay sends SYN back, but get ICMP_UNREACH as
a reply :-(. But because of this misprint tcp socket will not be closed
as it should be, but will hang waiting for timeout expire.


> -- 
>Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.frmug.fr.net
>   FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Sun Nov 12 16:47:05 MET 1995
-- 
 Andrew A. Timonin	E-mail tim@sssun.spb.su,
   St.Petersburg	phone:	office:  +7 (812) 1106762
	Russia			private: +7 (812) 2540779