[4244] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Henry W Miller)
Sat Aug 31 00:15:32 1996
Date: Fri, 30 Aug 1996 20:11:46 -0500 (CDT)
From: Henry W Miller <mill0440@gold.tc.umn.edu>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <96Aug30.135754edt.15389@dvp.cs.toronto.edu>
To: ;@unlisted-recipients (no To-header on input)
On Fri, 30 Aug 1996, Eric Schenk wrote:
>
> "Theodore Y. Ts'o" <tytso@MIT.EDU> writes:
> > Date: Thu, 29 Aug 1996 14:47:47 -0400
> > From: "Eric Schenk" <schenk@cs.toronto.edu>
> >
> > I've been checking through the RFC's and it appears that we can use a
> > seperate set of timeouts for the initial establishment of the connection,
> > as opposed to timeouts for estalbished connections. Currently we only use
> > a seperate timeout for connections initiated by the local box. Even then,
> > this timeout is perhaps a bit long, somewhere around the 13 minute mark
> > in 2.0.x. BSD uses a 75 second timeout for this, but this is perhaps
> > a bit short, especially for on-demand links over a busy phone line.
After some thought I think that this would provide some relief: on
reciving any syn, handle it normally, but also send a series of ICMP
pings to the host. If after a short amount of time no pings come back
assume the host is dead, and kill the connection. I theory a ping should
get through quickly, so we at least know there is a valid host behind
this ip address.
This does not however help if the syn flooder picks valid ip addresses.
but if the flooder picks a constant valid address we can also make a only
one syn per host in the queue rule.
In the end this can only be addressed at the ISP end, if ever ISP would
keep track its users' valid ip addresses and filter sources that didn't
fit there... but this is unlikely to happen.
> >Why not make this a run-time configurable option, via the sysctl
> >interface? If you have a direct connection to the internet, then you'll
Whatever is done will need to be runtime configureable, since some busy
hosts may have valid reason (say each host on ATM or such) to generate a
hugh number of SYNs.
> Yes, this is probably the right way to do things. I'm not sure if a
> sysctl patch is the "right thing" for the 2.0.x series, but certainly
> it is for the 2.1.x serires. I'll look at this on the weekend, maybe
> if the change is small enough Linus will take it for 2.0.x as well.
> If not, maybe I'll try and make a seperate patch available.
Certinally what I'm proposing is not sudible for 2.0.0x series.
