[1121] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] SYN flooding (was inetd and

daemon@ATHENA.MIT.EDU (Rob Hagopian)
Fri Aug 30 19:58:51 1996

In-Reply-To: <199608251807.LAA09455@onyx.infonexus.com>
Date: Fri, 30 Aug 1996 07:52:32 -0400
To: linux-security@tarsier.cv.nrao.edu
From: Rob Hagopian <hagopiar@vuser.vu.union.edu>

>	Remember that the inetd (and TCPd) filters work after the completion
>	of the 3-way handshake.  SYN flooding only satisfies the first part
>	of the 3-way handshake.  I can deny TCP/23 with TCPd from all but
>	trusted IP addresses.  It can still be SYN flooded however.

What about simply dropping the oldest SYN connections after the port(s)
have been flooded, always leaving a connection available?
	This won't help too much in a continuous flood mode as any legit
connections might be wiped out along with the dummy SYN packets, but this
could be aleivated somewhat with larger buffers...
	Also, when this threshold is reached, it would be a good time to
start alerting the sysadmin.
	Thus, a proactive solution is acheived, while a permenant solution
can be investigated. Also, I don't believe that this would require too much
effort on the part of the kernel to track (as opposed to tracking the IP
addr of SYN packets, which would fail anyways under a random SYN flood
attack).
	Of course, I'm not too well versed in this area, so this could be
completely hairbrained... :-)
							-Rob Hagopian

home help back first fref pref prev next nref lref last post