Date: Thu, 12 Sep 1996 17:15:22 -0700 (PDT) From: "Jonathan M. Bresler" <jmb> To: brandon@glacier.cold.org (Brandon Gillespie) Cc: freebsd-security@FreeBSD.org Subject: Re: SYN attacks Message-ID: <199609130015.RAA14767@freefall.freebsd.org> In-Reply-To: <Pine.BSF.3.91.960912161413.5589A-100000@glacier.cold.org> from "Brandon Gillespie" at Sep 12, 96 04:16:51 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Gillespie wrote:
>
> I am basically without knowledge in regard to TCP protocols. What I'm
> wondering is how succeptible FreeBSD is to the SYN flooding attacks like
> those that took down panix.com? A patch to the linux kernel came out in
> the magazine '2600' which enabled one to do the SYN flooding, so I suspect
> its going to become more common. Somebody mentioned a patch for BSD
> style kernels from Avi Freedman of NetAxs.com.
there are two steps that you can take:
-get the patch from problem report 1600
-decrease the value of TCPTV_KEEP_INIT from
75*PR_SLOWHZ to, say 10*PR_SLOWHZ. this
was suggested by Karl Denniger (sp?) of MCS
in chicago.
i have included the patch below.
Index: tcp_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.46
diff -c -2 -r1.46 tcp_input.c
*** tcp_input.c 1996/05/02 05:54:12 1.46
--- tcp_input.c 1996/09/12 00:32:50
***************
*** 451,455 ****
*/
tp->t_idle = 0;
! tp->t_timer[TCPT_KEEP] = tcp_keepidle;
/*
--- 451,456 ----
*/
tp->t_idle = 0;
! if (TCPS_HAVEESTABLISHED(tp->t_state))
! tp->t_timer[TCPT_KEEP] = tcp_keepidle;
/*
***************
*** 833,839 ****
tp->t_flags &= ~TF_NEEDFIN;
tiflags &= ~TH_SYN;
! } else
tp->t_state = TCPS_ESTABLISHED;
!
} else {
/*
--- 834,841 ----
tp->t_flags &= ~TF_NEEDFIN;
tiflags &= ~TH_SYN;
! } else {
tp->t_state = TCPS_ESTABLISHED;
! tp->t_timer[TCPT_KEEP] = tcp_keepidle;
! }
} else {
/*
***************
*** 860,865 ****
tp->t_state = TCPS_FIN_WAIT_1;
tp->t_flags &= ~TF_NEEDFIN;
! } else
tp->t_state = TCPS_ESTABLISHED;
tp->t_flags |= TF_NEEDSYN;
} else
--- 862,869 ----
tp->t_state = TCPS_FIN_WAIT_1;
tp->t_flags &= ~TF_NEEDFIN;
! } else {
tp->t_state = TCPS_ESTABLISHED;
+ tp->t_timer[TCPT_KEEP] = tcp_keepidle;
+ }
tp->t_flags |= TF_NEEDSYN;
} else
***************
*** 1184,1189 ****
tp->t_state = TCPS_FIN_WAIT_1;
tp->t_flags &= ~TF_NEEDFIN;
! } else
tp->t_state = TCPS_ESTABLISHED;
/*
* If segment contains data or ACK, will call tcp_reass()
--- 1188,1195 ----
tp->t_state = TCPS_FIN_WAIT_1;
tp->t_flags &= ~TF_NEEDFIN;
! } else {
tp->t_state = TCPS_ESTABLISHED;
+ tp->t_timer[TCPT_KEEP] = tcp_keepidle;
+ }
/*
* If segment contains data or ACK, will call tcp_reass()
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609130015.RAA14767>