[4208] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Bernd Eckenfels)
Wed Aug 28 03:14:21 1996
To: submit-linux-dev-net@ratatosk.yggdrasil.com
From: ecki@inka.de (Bernd Eckenfels)
Date: 28 Aug 1996 02:19:32 GMT
Racer X <shagboy@wspice.com> wrote:
: So, dealing with the SYN packets - Olaf and I suggested adding some code
: to the kernel to provide hooks for detection of this kind of attack. The
: actual detection and policy setting would not be done in the kernel, of
: course.
I'm designing on an /dev/alert (netlink) device, which will send messages
from the kernel to user space about abnormal conditions like: "listen
backlog filled up", "syn_rcvd expired", "syn on not listen port", "icmp
bla"... this si especially for firewalls, but will of course be for other
things, too.
: Okay. Who says we "have" to answer all SYN's? The RFC's? Very well, I'll
: accept that for a truly compliant TCP stack, we have to answer them all. My
: idea is not to turn this off and detect SYN floods in the kernel; it's just
: to add the necessary hooks to implement a policy change on the fly (perhaps
: with a userland daemon).
Well, the Problem with this is, that the userlanfd daemon can do a lot of
things, but it has no chance to keep your backlog from filling. Since you
always want to accept connections from certain hosts and the attacker can
always pick those hosts as the source of their spoofed syns.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
( .. ) ecki@lina.{inka.de,ka.sub.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +4972573817 *plush*
(O____O) If privacy is outlawed only Outlaws have privacy
