Re: SYN Resisting

[Chris Layton <cll () cais cais com>]

On Wed, 11 Sep 1996, Avi Freedman wrote:

> In order to build a SYN-resistant BSD kernel, you need to modify one
> file in src/sys/os, uipc_socket2.c, and you also need to modify 
> src/sys/netinet/tcp_timer.h and you have to rebuild tcp_usrreq.c and
> tcp_input.c in the netinet directory.

For those of you running Solaris 2.5, this can be done using ndd. The man
page and the "ndd /dev/tcp \?" command will get you started. You will have
to tweak the following variables "tcp_conn_req_max" and
"tcp_conn_grace_period". This will have roughly the same effects as Avi's
patches. 

> > From the bottom level up, change TCPTV_KEEP_INIT from 75*PR_SLOWHZ
> to 7*PR_SLOWHZ (or whatever # you want).  This timeout (the 75) is
> the number of seconds that the kernel will keep un-established TCP
> PCB/sockets around for...  When the SYN is received, it is acknowledged
> and the PCB && socket are set up for the embryonic session; the goal
> is to rip those things out of any queues they're in more aggressively.

On web servers, remote users routinely take longer than this to set up
connections. Anything less than 15-20 seconds and you will start loosing
hits from those ISP's that Metcalfe seems to frequent.  This isn't a
criticism of Avi's patch. Its just something to be aware of.

> On a Sparc 1+ w/ 4.1.4, I could sustain a 200-400 SYN-packet/sec attack
> and still remain functional (and quick for a 1+), but the machine didn't
> normally run web servers...  Even when I nailed it with 1000 SYNs/sec,
> the machine continued functioning but I couldn't connect to the socket
> being nailed.  A second after stopping the heavier attack, I could.

I have no idea what this will do for performance on Solaris 2.5 machines.

-chris

PS Does anyone have a good source of info on the Solaris implementation
for those of us not lucky enough to have source licenses?

- - - - - - - - - - - - - - - - -