nanog mailing list archives
Re: SYN floods (was: does history repeat itself?)
From: Taner Halicioglu <taner () CERF NET>
Date: Mon, 9 Sep 1996 19:35:45 -0700 (PDT)
On Mon, 9 Sep 1996, Vektor Sigma wrote:
On my private network I can send 600 or more SYN packets to my telnet port (w/faked, unreachable source addresses + random seq numbers), yet the port doesn't seem to be flooded. It's a linux box. The telnet daemon seems to be able to tell the difference between a faked packet and a real one. Even when spoofing from localhost, it reports a connection from unknown. Obviously, there seems to be a solution to this problem. ??
I'd like to see this. First of all, the telnet daemon never sees the SYN. The SYN is responded to by the kernel (with a SYN/ACK). taner@BOOM:ttyp6 (Linux) ~/code >./syn ./syn srchost dsthost port num taner@BOOM:ttyp6 (Linux) ~/code >./syn 1.2.3.4 boom.net 23 10 synflooding boom.net from 1.2.3.4 port 23 10 times Now to try to connect to it... taner@nic:~ >telnet boom.net Trying 134.24.7.153 ... telnet: connect: Connection timed out telnet> And why? taner@BOOM:ttyp6 (Linux) ~ >netstat -tn | grep 1.2.3.4 tcp 0 1 134.24.7.153:23 1.2.3.4:59914 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:60170 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:60426 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:60682 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:60938 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:61194 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:61706 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:61962 SYN_RECV root tcp 0 1 134.24.7.153:23 1.2.3.4:62218 SYN_RECV root taner@BOOM:ttyp6 (Linux) ~ >uname -a Linux BOOM.NET 2.0.0 #5 Sun Sep 1 21:34:31 PDT 1996 i486 Looks like Linux can only queue 9 SYN's... -Taner -=-=-=-=-=-=-=-=-=-=-=-=[ D. Taner Halicioglu ]=-=-=-=-=-=-=-=-=-=-=-=- taner () CERF NET -=- taner () ucsd edu -=- taner () sdsc edu IRC Admin: irc.cerf.net -=- U. of California, San Diego, Computer Sci. taner () cisco com -=- Cisco Systems -=- Enterprise Network Management -=-=-=-=-=-=[ Linux 2.0.* OS -- http://www.sdsc.edu/~taner/ ]=-=-=-=-=- - - - - - - - - - - - - - - - - -
Current thread:
- Re: SYN floods (was: does history repeat itself?), (continued)
- Re: SYN floods (was: does history repeat itself?) Robbie Honerkamp (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Perry E. Metzger (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Perry E. Metzger (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Avi Freedman (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Michael Dillon (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Perry E. Metzger (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Dima Volodin (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Avi Freedman (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Vektor Sigma (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Avi Freedman (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Taner Halicioglu (Sep 09)
- Re: SYN floods (was: does history repeat itself?) Curtis Villamizar (Sep 12)
- Re: SYN floods (was: does history repeat itself?) Perry E. Metzger (Sep 12)
- Re: SYN floods (was: does history repeat itself?) alex (Sep 13)
- Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 13)
- Re: SYN floods (was: does history repeat itself?) alex (Sep 14)
- Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 14)
- High-speed filtering boxes (Was: Re: SYN floods...) Paul Frommeyer (Sep 19)
- Re: High-speed filtering boxes (Was: Re: SYN floods...) Deepak Jain (Sep 19)
- Re: High-speed filtering boxes (Was: Re: SYN floods...) Paul Frommeyer (Sep 19)
- Re: SYN floods (was: does history repeat itself?) Dima Volodin (Sep 09)