[4266] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Speed Racer)
Mon Sep 2 20:08:12 1996
Date: Mon, 2 Sep 1996 18:46:42 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: linux-vger@wab-tis.rabobank.nl,
submit-linux-dev-net@ratatosk.yggdrasil.com
In-Reply-To: <m0uviuC-0003lAC@sys3.pe1chl.ampr.org>
On Wed, 28 Aug 1996, Rob Janssen reading Linux mailinglist wrote:
> Of course the difficult problem is 'how to determine that the SYN was
> from an existing host'...
My suggestion is still to use DNS. It is not perfect, but it is better
than nothing.
> What could be tried is to delete the 'oldest' entry in SYN_RCVD state
> whenever a SYN is received and too many connections are in SYN_RCVD state,
> but probably that still will deny some service to legitimate users that
> happen to be on a slow link.
Well, I think this could be deemed acceptable under SYN flood conditions.
What is needed is a way to change the kernel behavior on the fly to
actually do this or not.
I think a better idea is to try a "quick" DNS reversal (allow, say, 15-30
seconds) and drop the connects that can't be reversed. This might be a
little better than simply dropping the oldest, which could easily be valid
(maybe even connected over a fast link, if timed right). Of course, you
could probably make this configurable too.
shag
Judd Bourgeois shagboy@bluesky.net
Finger for PGP public key
There's a lost man with a bitter soul
For only a moment did life make him whole
And while he was, he thought he was invincible...
Matthew Sweet, "Smog Moon"
