[4106] in linux-net channel archive
SYN floods
daemon@ATHENA.MIT.EDU (nelson@crynwr.com)
Tue Aug 20 01:12:18 1996
Date: 20 Aug 1996 03:31:56 -0000
From: nelson@crynwr.com
To: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.95.960819120644.2175E-100000@douglas.nexus.olemiss.edu>
Douglas L. Stewart writes:
> Has anyone seen the latest 2600? I've heard that there was a program in
> there to do SYN floods. People are using this against IRC servers right
> now (servers running on all UN*X platforms). Is there any kind of
> kernel-level solution for this?
>
> (If someone has the program, I'd appreciate a copy. My server's being SYN
> flooded right now, and I'd like to understand what's going on better.)
Ugh. This is an ugly problem, particularly if they spoof the SYNs
from widely-ranging addresses. The only way to tell if it's a real
SYN is if, when you respond to it, they respond back. So, not only
does a SYN flood suck up your incoming connection, the only defense
against it (that *I* can see) involves sucking up your outgoing
connection with responses.
Sounds like a problem that needs to be solved in user space.
-russ <nelson@crynwr.com> http://www.crynwr.com/~nelson
Crynwr Software sells packet driver support | PGP ok
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Corporations persuade;
Potsdam, NY 13676 | +1 315 268 9201 FAX | governments coerce.
