North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN Resisting
On Wed, 11 Sep 1996, Avi Freedman wrote: > > In order to build a SYN-resistant BSD kernel, you need to modify one > file in src/sys/os, uipc_socket2.c, and you also need to modify > src/sys/netinet/tcp_timer.h and you have to rebuild tcp_usrreq.c and > tcp_input.c in the netinet directory. For those of you running Solaris 2.5, this can be done using ndd. The man page and the "ndd /dev/tcp \?" command will get you started. You will have to tweak the following variables "tcp_conn_req_max" and "tcp_conn_grace_period". This will have roughly the same effects as Avi's patches. > > >From the bottom level up, change TCPTV_KEEP_INIT from 75*PR_SLOWHZ > to 7*PR_SLOWHZ (or whatever # you want). This timeout (the 75) is > the number of seconds that the kernel will keep un-established TCP > PCB/sockets around for... When the SYN is received, it is acknowledged > and the PCB && socket are set up for the embryonic session; the goal > is to rip those things out of any queues they're in more aggressively. On web servers, remote users routinely take longer than this to set up connections. Anything less than 15-20 seconds and you will start loosing hits from those ISP's that Metcalfe seems to frequent. This isn't a criticism of Avi's patch. Its just something to be aware of. > > On a Sparc 1+ w/ 4.1.4, I could sustain a 200-400 SYN-packet/sec attack > and still remain functional (and quick for a 1+), but the machine didn't > normally run web servers... Even when I nailed it with 1000 SYNs/sec, > the machine continued functioning but I couldn't connect to the socket > being nailed. A second after stopping the heavier attack, I could. > I have no idea what this will do for performance on Solaris 2.5 machines. -chris PS Does anyone have a good source of info on the Solaris implementation for those of us not lucky enough to have source licenses? - - - - - - - - - - - - - - - - -
|