[4531] in North American Network Operators' Group
SYN attack. how does it *really* work
daemon@ATHENA.MIT.EDU (Jonathan M. Bresler)
Tue Sep 17 21:43:37 1996
From: "Jonathan M. Bresler" <jmb@freefall.freebsd.org>
To: michael@memra.com (Michael Dillon)
Date: Tue, 17 Sep 1996 18:33:24 -0700 (PDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.BSI.3.93.960917171801.21768H-100000@sidhe.memra.com> from "Michael Dillon" at Sep 17, 96 05:21:07 pm
Michael Dillon wrote:
>
> If it only takes 8 SYN packets to lock up a socket for 75 seconds then
> effective SYN flood attacks certainly *CAN* be launched from a dialup
> connection. And if the definition of an effective attack allows for
> intermittently shutting down a socket then effective attacks certainly
> *CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.
not 8, only 2 SYN packets into the same connection are needed
(connection is a single src addr, src port, dest addr
dest port 4-tuple)
not 75 seconds, ~11 minutes.
the essence of the bug is:
one timer t_timer[TCPT_KEEP] used for 2 purposes
--to hold the 75 second half-open timer
--to hold the 2 hour keepalive timer
the first SYN packet sets the timer to 75 seconds
the second trips the bug and resets the timer to 2 hours
so where does the 11 minutes come from?
the server (target) send SYN-ACK packets, and retransmits
the SYN-ACK until it either gets a response or gives up
when TCP_MAXRXTSHIFT is exceeded. the latter take ~11 minutes.
the fix is to qualify the settting of hte timer ala:
if (TCPS_HAVEESTABLISHED(tp->t_state))
tp->t_timer[TCPT_KEEP] = tcp_keepidle;
and to set the timer a each location where the TCP/IP state
machine transitions to TCPS_ESTABLISHED.
each half-open socket consumes 264 bytes of memory (assuming
perfect allocation ;)
all BSD derived TCP/IP implementations are/may be susceptible
to this bug. that includes AIX, SVR4, and SunOS.
stevens TCP/IP illustrated vol 3 p191 explains this much beter
than i can
jmb
--
Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG
FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/
PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB
