Re: SYN flood messages flooding my mailbox

[Matt Bush <xomox () boris eden com>]

> In message <199609161637.MAA20184 () netaxs com>, Avi Freedman writes:
> > > implementation.  This is a denial of service exposure that has gone
> > > unaddressed in host implementations until recently.  BSD now uses a
> > > hash table on the TCP PCBs (protocol control blocks in the kernel) and
> > > with change of removal of the check can support close to 64K-2000 PCBs
> >
> > Hmm.  Interesting.  I was told that NetBSD did not...
> > Which version of BSD should I look at?  A hash table on a static array of
> > PCBs is a much better solution than letting a linked list get to 2000
> > entries...
>
> Oops.  That's in a BSDI patch (PATCH K210-019) but I'm not sure about
> FreeBSD or NetBSD distributions since I don't have one handy.
I'm not sure about prior releases, but FreeBSD 2.1.0 and above do hash
PCB's, with a default hash size of 128.  The constant name is TCBHASHSIZE
in netinet/tcp_subr.c.  To raise it, just add

options         "TCBHASHSIZE=2048"      # More capable TCB hash

  ... and if you feel the need, add

options         "UDBHASHSIZE=1024"      # More capable UDB hash

to your kern config file.

> Curtis
>
> ps- (My 6 year old has a FreeBSD system, but its 2.0.5.  Got to get
> him to upgrade. :)
Version 2.1.5-Release is now available.  ;-)

  Cheers,

   -Matt
- - - - - - - - - - - - - - - - -