[4267] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Speed Racer)
Mon Sep 2 20:56:51 1996
Date: Mon, 2 Sep 1996 19:21:02 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: Henry W Miller <mill0440@gold.tc.umn.edu>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.960830200116.8456A-100000@gold.tc.umn.edu>
On Fri, 30 Aug 1996, Henry W Miller wrote:
> After some thought I think that this would provide some relief: on
> reciving any syn, handle it normally, but also send a series of ICMP
> pings to the host. If after a short amount of time no pings come back
> assume the host is dead, and kill the connection. I theory a ping should
> get through quickly, so we at least know there is a valid host behind
> this ip address.
Although many won't like that idea since we don't know how long a ping
will actually take, I think it's pretty intelligent. In the real world,
things do go through pretty quickly, and we can at least make those
assumptions for certain conditions (SYN floods for instance).
> This does not however help if the syn flooder picks valid ip addresses.
> but if the flooder picks a constant valid address we can also make a only
> one syn per host in the queue rule.
Well, this might not be a good idea. I think Netscape will open more than
one connection simultaneously. But a limit of (say) 4 would not be bad; a
dynamically-configurable limit wouldn't be too hard.
> In the end this can only be addressed at the ISP end, if ever ISP would
> keep track its users' valid ip addresses and filter sources that didn't
> fit there... but this is unlikely to happen.
I agree 100%. We should make this an active effort rather than a passive
one.
> Certinally what I'm proposing is not sudible for 2.0.0x series.
But of course :) I think it'd be a great candidate for 2.1 tho.
shag
Judd Bourgeois shagboy@bluesky.net
Finger for PGP public key
There's a lost man with a bitter soul
For only a moment did life make him whole
And while he was, he thought he was invincible...
Matthew Sweet, "Smog Moon"
