[4409] in linux-net channel archive
Re: (fwd) BoS: Tool for stopping SYN floods
daemon@ATHENA.MIT.EDU (Rob Janssen reading Linux mailingl)
Sun Sep 15 22:21:09 1996
From: linux@pe1chl.ampr.org (Rob Janssen reading Linux mailinglist)
To: alan@lxorguk.ukuu.org.uk (Alan Cox)
Date: Sun, 15 Sep 1996 10:14:36 +0200 (MET DST)
Cc: submit-linux-dev-net@ratatosk.yggdrasil.com
In-Reply-To: <51f2m9$4ic@lightning.swansea.linux.org.uk> from "Alan Cox" at Sep 14, 96 08:56:57 pm
Reply-To: linux-vger@wab-tis.rabobank.nl
According to Alan Cox:
> Of course you can't tell a SYN waiting for ack from a fake SYN waiting for
> an ACK that won't come. If we want to do what this piece of software
> claims to do we can set a limit on the time we wait until a connection
> completes. Setting a limit is not a bad plan.
>
> The big problem is that we can't really go from waiting for the final
> ACK to closed without risking resetting a real connection. Statistically
> I think however it is better we take that small risk.
I think one reasonable approach is to look at the number of connections
in SYN_RCVD state. When it exceeds a certain limit, and yet another SYN
comes in, one other connection in SYN_RCVD state needs to be reset first.
This could, for example, be the oldest connection, the oldest one from
the same IP address, the oldest one from the same port number, or a
random one.
A simple "take the oldest connection" algorithm is probably not the best
choice, because an attacker could simply block all access from not-very-fast
clients by sending a sequence of SYNs corresponding to the number of
accepted SYN_RCVD connections (whose default is of course widely known
once it is implemented).
With this approach you handle the problem of SYN flooding without imposing
a short timeout on a valid connection establishment.
(which undoubtedly would cause problems in the packet radio network)
A system which isn't under attack will not be affected by the counter-
measures against a possible attack.
Rob
--
+------------------------------------+--------------------------------------+
| Rob Janssen pe1chl@amsat.org | WWW: http://www.knoware.nl/users/rob |
| AMPRnet: rob@pe1chl.ampr.org | AX.25 BBS: PE1CHL@PI8WNO.#UTR.NLD.EU |
+------------------------------------+--------------------------------------+
