Re: SYN flood messages flooding my mailbox

["Jonathan M. Bresler" <jmb () freefall freebsd org>]

Curtis Villamizar wrote:
> In message <199609161637.MAA20184 () netaxs com>, Avi Freedman writes:
> > > implementation.  This is a denial of service exposure that has gone
> > > unaddressed in host implementations until recently.  BSD now uses a
> > > hash table on the TCP PCBs (protocol control blocks in the kernel) and
> > > with change of removal of the check can support close to 64K-2000 PCBs
> >
> > Hmm.  Interesting.  I was told that NetBSD did not...
> > Which version of BSD should I look at?  A hash table on a static array of
> > PCBs is a much better solution than letting a linked list get to 2000
> > entries...
>
> Oops.  That's in a BSDI patch (PATCH K210-019) but I'm not sure about
> FreeBSD or NetBSD distributions since I don't have one handy.

        The SYN_RCVD bug has been fixed in FreeBSD source.
        i should know, i wrote the patch.  
        as a result, the attacker has to sink the machine in less than
        75 seconds, else it begins to free resources.  before the patch
        the attacker had ~11 minutes to do the deed. (would have been
        2 hours but for retransmission of the SYN-ACK packet by the target)

        the bug is dicsussed in detail on page 191 of tcp/ip illustrated
        by rick stevens.  

        we have not yet moved to a hask table.  soon.
        our SO_MAXCONN is 128, rather than the common 5.

jmb
--
Jonathan M. Bresler           FreeBSD Postmaster             jmb () FreeBSD ORG
FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/
PGP 2.6.2 Fingerprint:      31 57 41 56 06 C1 40 13  C5 1C E3 E5 DC 62 0E FB

> Curtis
>
> ps- (My 6 year old has a FreeBSD system, but its 2.0.5.  Got to get
> him to upgrade. :)

        darn tooting!  ;)

- - - - - - - - - - - - - - - - -