North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN floods (was: does history repeat itself?)

  • From: Taner Halicioglu
  • Date: Mon Sep 09 22:36:40 1996 
On Mon, 9 Sep 1996, Vektor Sigma wrote:

> On my private network I can send 600 or more SYN packets to my telnet port 
> (w/faked, unreachable source addresses + random seq numbers), yet the 
> port doesn't seem to be flooded.
> 
> It's a linux box.
> 
> The telnet daemon seems to be able to tell the difference between a faked 
> packet and a real one.  Even when spoofing from localhost, it reports a 
> connection from unknown.
> 
> Obviously, there seems to be a solution to this problem.  ??

I'd like to see this.  First of all, the telnet daemon never sees the SYN.
The SYN is responded to by the kernel (with a SYN/ACK).

[email protected]:ttyp6 (Linux) ~/code >./syn 
./syn srchost dsthost port num
[email protected]:ttyp6 (Linux) ~/code >./syn 1.2.3.4 boom.net 23 10
synflooding boom.net from 1.2.3.4 port 23 10 times

Now to try to connect to it...

[email protected]:~ >telnet boom.net
Trying 134.24.7.153 ...
telnet: connect: Connection timed out
telnet> 

And why?

[email protected]:ttyp6 (Linux) ~ >netstat -tn | grep 1.2.3.4
tcp        0      1 134.24.7.153:23        1.2.3.4:59914          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:60170          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:60426          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:60682          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:60938          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:61194          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:61706          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:61962          SYN_RECV root       
tcp        0      1 134.24.7.153:23        1.2.3.4:62218          SYN_RECV root       

[email protected]:ttyp6 (Linux) ~ >uname -a
Linux BOOM.NET 2.0.0 #5 Sun Sep 1 21:34:31 PDT 1996 i486

Looks like Linux can only queue 9 SYN's...

	-Taner
-=-=-=-=-=-=-=-=-=-=-=-=[ D. Taner Halicioglu ]=-=-=-=-=-=-=-=-=-=-=-=-
     [email protected]   -=-   [email protected]   -=-   [email protected]
 IRC Admin: irc.cerf.net -=- U. of California, San Diego, Computer Sci.
  [email protected] -=- Cisco Systems -=- Enterprise Network Management
-=-=-=-=-=-=[ Linux 2.0.* OS -- http://www.sdsc.edu/~taner/ ]=-=-=-=-=-

- - - - - - - - - - - - - - - - -