North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN Resisting

  • From: Noam Freedman
  • Date: Thu Sep 12 00:07:39 1996

> For those of you running Solaris 2.5, this can be done using ndd. The man
> page and the "ndd /dev/tcp \?" command will get you started. You will have
> to tweak the following variables "tcp_conn_req_max" and
> "tcp_conn_grace_period". This will have roughly the same effects as Avi's
> patches. 

Avi's patches center around removing the limit on the size of the linked
list.  With ndd, you can only raise the limit to 1024.  Thus, the main
goal of Avi's patch is not possible.

> On web servers, remote users routinely take longer than this to set up
> connections. Anything less than 15-20 seconds and you will start loosing
> hits from those ISP's that Metcalfe seems to frequent.  This isn't a
> criticism of Avi's patch. Its just something to be aware of.

Agreed. I would say that a good realistic limit is 30.  Anything below
that and you WILL be kicking off valid connections.  However, I would lower
it as soon as I knew I was being attacked.

> > On a Sparc 1+ w/ 4.1.4, I could sustain a 200-400 SYN-packet/sec attack
> > and still remain functional (and quick for a 1+), but the machine didn't
> > normally run web servers...  Even when I nailed it with 1000 SYNs/sec,
> > the machine continued functioning but I couldn't connect to the socket
> > being nailed.  A second after stopping the heavier attack, I could.
> 
> I have no idea what this will do for performance on Solaris 2.5 machines.

Well, the problem is that since you can only raise the limit to 1024, 200
SYN packets/sec would close up the socket being nailed in 5 seconds.
1000 SYNs/sec would nail the socket closed right away. (Well ok, in a little
over a sec.)

> PS Does anyone have a good source of info on the Solaris implementation
> for those of us not lucky enough to have source licenses?

Someone needs to make similar modifications to Solaris to remove the artificial
limit (assuming the Solaris implimentation does not have a hard limit (ie:
based on something like an array instead of a linked list.)

- Noam
- - - - - - - - - - - - - - - - -