[4265] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Speed Racer)
Mon Sep 2 20:01:53 1996
Date: Mon, 2 Sep 1996 18:30:32 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: Bernd Eckenfels <ecki@inka.de>
cc: submit-linux-dev-net@ratatosk.yggdrasil.com
In-Reply-To: <500abk$gj0@nz12.rz.uni-karlsruhe.de>
On 28 Aug 1996, Bernd Eckenfels wrote:
> : Okay. Who says we "have" to answer all SYN's? The RFC's? Very well, I'll
> : accept that for a truly compliant TCP stack, we have to answer them all. My
> : idea is not to turn this off and detect SYN floods in the kernel; it's just
> : to add the necessary hooks to implement a policy change on the fly (perhaps
> : with a userland daemon).
>
> Well, the Problem with this is, that the userlanfd daemon can do a lot of
> things, but it has no chance to keep your backlog from filling. Since you
> always want to accept connections from certain hosts and the attacker can
> always pick those hosts as the source of their spoofed syns.
Hmm.. Can you arbitrarily drop connects from the backlog if you want? For
instance, can you peek at the backlog, see if the address is a "naughty"
one, and drop it? Or does this violate the RFC?
Either way, even if you do always want to accept connections from certain
hosts, the userland daemon could attempt to detect a SYN flood and disable
access from those hosts for (say) 2-5 minutes. It might be better than
nothing... sort of like firewalling rules implemented on the fly by a
smart daemon rather than by hand. Would that work?
shag
Judd Bourgeois shagboy@bluesky.net
Finger for PGP public key
There's a lost man with a bitter soul
For only a moment did life make him whole
And while he was, he thought he was invincible...
Matthew Sweet, "Smog Moon"
