[4277] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Olaf Titz)
Tue Sep 3 17:09:49 1996
Cc: recipient.list.not.shown:;@vger.rutgers.edu
From: Olaf Titz <olaf@bigred.inka.de>
Date: 03 Sep 1996 11:37:56 +0200
To: ;@unlisted-recipients (no To-header on input)
Speed Racer <shagboy@dns.bluesky.net> wrote:
> Hmm.. Can you arbitrarily drop connects from the backlog if you want? For
> instance, can you peek at the backlog, see if the address is a "naughty"
> one, and drop it? Or does this violate the RFC?
It would probably OK RFC-wise, but it isn't possible with the BSD
socket API. You would have to implement new syscalls for this and the
resulting applications would become Linux-specific. Perhaps OK with a
single daemon that looks through all the queues, but not with the
networking applications (e.g. httpd) where such a check does belong
IMHO.
> Either way, even if you do always want to accept connections from certain
> hosts, the userland daemon could attempt to detect a SYN flood and disable
> access from those hosts for (say) 2-5 minutes. It might be better than
> nothing... sort of like firewalling rules implemented on the fly by a
> smart daemon rather than by hand. Would that work?
Yes, that would work. You can even do this with the firewalling API
proper. When the daemon gets notified that host X is SYN-flooding, it
does something like ipfwadm -a deny -I -S <X> -D <me>.
The proper place to put the notification mechanism would be the
kerneld message queue.
olaf
--
___ Olaf.Titz@inka.de or @{stud,informatik}.uni-karlsruhe.de ____
__ o <URL:http://www.inka.de/~bigred/> <IRC:praetorius>
__/<_ >> Just as long as the wheels keep on turning round
_)>(_)______________ I will live for the groove 'til the sun goes down << ____
