[2315] in bugtraq
Re: denial of service attack possible
daemon@ATHENA.MIT.EDU (Tom Fitzgerald)
Sat Oct 28 23:12:30 1995
Date: Fri, 27 Oct 1995 13:51:14 EDT
Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
From: Tom Fitzgerald <fitz@wang.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
In-Reply-To: <199510270507.BAA26188@marksys.misty.com>; from "Mark Thomas" at
Oct 27, 95 1:07 am
> Last night, the machine completely stopped accepting connections on port
> 80 to the web server.
> tcp 0 0 205.164.146.26.80 146.94.1.2.2972 SYN_RCVD
> tcp 0 0 205.164.146.26.80 146.94.1.2.2763 SYN_RCVD
> It concerns me that one remote site can so easily completely block all
> incoming tcp/ip connections on a port. Is this a kernel bug, or something
> I can take some measure to prevent on this end?
You can crank up the second argument to listen() in httpd WAY high, which
will help with this. This is not a complete fix because there's also a
kernel-imposed limit on the number of half-open connections, but it will
get you the ability to tolerate more half-open connections before the
server stops responding.
In general there's no way to defend yourself against denial-of-service
attacks..... this only gives you more headroom.
--
Tom Fitzgerald 1-508-967-5278 Wang Labs, Billerica MA, USA fitz@wang.com
