[4134] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Racer X)
Thu Aug 22 02:09:23 1996
Date: Wed, 21 Aug 1996 23:27:51 -0400 (EDT)
From: Racer X <shagboy@wspice.com>
Reply-To: shagboy@bluesky.net
To: nelson@crynwr.com
cc: linux-net@vger.rutgers.edu
In-Reply-To: <19960820033156.9524.qmail@ns.crynwr.com>
On 20 Aug 1996 nelson@crynwr.com wrote:
> Ugh. This is an ugly problem, particularly if they spoof the SYNs
> from widely-ranging addresses. The only way to tell if it's a real
> SYN is if, when you respond to it, they respond back. So, not only
> does a SYN flood suck up your incoming connection, the only defense
> against it (that *I* can see) involves sucking up your outgoing
> connection with responses.
>
> Sounds like a problem that needs to be solved in user space.
Hi,
I just posted about a similar subject to linux-security - basically the
same problem, but it hits inetd instead. My question is - can a
connection that is in state SYN_RECV be arbitrarily terminated at any
time, or does it have to wait for the timeout in the TCP code?
If you can shut it down anytime, a userland daemon could easily track
connects and watch for strange behavior. But it would probably have to
throb some kernel data anyway...
shag
Judd Bourgeois | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key | not hereditary. Thomas Paine
