[4186] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (nelson@crynwr.com)
Sun Aug 25 12:52:22 1996
Date: 25 Aug 1996 16:43:48 -0000
From: nelson@crynwr.com
To: linux-net@vger.rutgers.edu
In-Reply-To: <dwp09f.i89@bigred.inka.de>
Olaf Titz writes:
> <nelson@crynwr.com> wrote:
> [Filtering excessive SYNs]
> > > I have an even better idea - rather than rely on the vendors, let's put it
> > > in the Linux IP code. (I do agree with you that the vendors SHOULD do
> > > that, but I don't really think they're going to)
> > Linux is not used as a router by too many people.
>
> No, put it in the Linux code for the benefit of the targets of such attacks.
Sigh. We're talking about two different things here -- one is how to
discover the source of excessive SYN attacks (which cannot be done
without the cooperation of ISPs who don't already filter, so it's not
likely to happen), and the other is how to deal with all these SYNs.
I guess Linux has a problem with sinners -- a religious OS! :)
The problem is twofold: it uses up network bandwidth, just like an
ICMP (ping) attack, but it also uses up kernel memory. You can turn
off ICMP temporarily, which at least gives you some outgoing
bandwidth, but you can't stop answering all SYNs, otherwise you deny
ALL service.
You HAVE TO answer ALL SYNs, so you HAVE TO fill up your outgoing
bandwidth. The most serious problem is that you also have to keep the
state implied by answering the SYN.
-russ <nelson@crynwr.com> http://www.crynwr.com/~nelson
Crynwr Software sells packet driver support | PGP ok
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Corporations persuade;
Potsdam, NY 13676 | +1 315 268 9201 FAX | governments coerce.
