[4311] in North American Network Operators' Group
Re: SYN Resisting
daemon@ATHENA.MIT.EDU (Chris Layton)
Wed Sep 11 18:00:20 1996
Date: Wed, 11 Sep 1996 17:54:02 -0400 (EDT)
From: Chris Layton <cll@cais.cais.com>
To: Avi Freedman <freedman@netaxs.com>
cc: nanog@merit.edu, alexis@panix.com
In-Reply-To: <199609111808.OAA15697@netaxs.com>
On Wed, 11 Sep 1996, Avi Freedman wrote:
>
> In order to build a SYN-resistant BSD kernel, you need to modify one
> file in src/sys/os, uipc_socket2.c, and you also need to modify
> src/sys/netinet/tcp_timer.h and you have to rebuild tcp_usrreq.c and
> tcp_input.c in the netinet directory.
For those of you running Solaris 2.5, this can be done using ndd. The man
page and the "ndd /dev/tcp \?" command will get you started. You will have
to tweak the following variables "tcp_conn_req_max" and
"tcp_conn_grace_period". This will have roughly the same effects as Avi's
patches.
>
> >From the bottom level up, change TCPTV_KEEP_INIT from 75*PR_SLOWHZ
> to 7*PR_SLOWHZ (or whatever # you want). This timeout (the 75) is
> the number of seconds that the kernel will keep un-established TCP
> PCB/sockets around for... When the SYN is received, it is acknowledged
> and the PCB && socket are set up for the embryonic session; the goal
> is to rip those things out of any queues they're in more aggressively.
On web servers, remote users routinely take longer than this to set up
connections. Anything less than 15-20 seconds and you will start loosing
hits from those ISP's that Metcalfe seems to frequent. This isn't a
criticism of Avi's patch. Its just something to be aware of.
>
> On a Sparc 1+ w/ 4.1.4, I could sustain a 200-400 SYN-packet/sec attack
> and still remain functional (and quick for a 1+), but the machine didn't
> normally run web servers... Even when I nailed it with 1000 SYNs/sec,
> the machine continued functioning but I couldn't connect to the socket
> being nailed. A second after stopping the heavier attack, I could.
>
I have no idea what this will do for performance on Solaris 2.5 machines.
-chris
PS Does anyone have a good source of info on the Solaris implementation
for those of us not lucky enough to have source licenses?
