[4528] in North American Network Operators' Group
Re: SYN and Solaris
daemon@ATHENA.MIT.EDU (Sanjay Dani(maillists))
Tue Sep 17 21:26:56 1996
Date: Tue, 17 Sep 1996 18:18:53 -0700 (PDT)
From: Sanjay Dani(maillists) <indus@professionals.com>
To: nanog@merit.edu
> From: dvv@sprint.net (Dima Volodin)
> The values to play with are tcp_conn_req_max (defines the max value for
> listen queue), tcp_ip_notify_cinterval (makes tcp send another SYN???),
> tcp_ip_abort_cinterval (aborts connection and frees the slot). Note "c"
> in "cinterval". I understand these timer values work for both incoming
> and outgoing connections.
On Solaris, the default for tcp_ip_abort_cinterval is
180000 ms (3 mins). You could try reducing it to a few seconds
(at the risk of denying service to legit clients connecting over
slow links) using
#ndd -set /dev/tcp tcp_ip_abort_cinterval <value in ms>
This affects ALL tcp conenctions on the system.
Solaris also lets you set the parameter for a specific destination
port if the SYN attacker does not use a random destination port:
#include <netinet/in.h>
#include <netinet/tcp.h>
....
int value = <whatever>;
setsockopt(fd, IPPROTO_TCP, TCP_CONN_ABORT_THERSHOLD, &value);
....
Sanjay.
PS. This feature may or may not be documented--I got it from a
friend at SunSoft.
