|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN flood messages flooding my mailbox
Curtis Villamizar wrote: > > > In message <[email protected]>, Avi Freedman writes: > > > > > implementation. This is a denial of service exposure that has gone > > > unaddressed in host implementations until recently. BSD now uses a > > > hash table on the TCP PCBs (protocol control blocks in the kernel) and > > > with change of removal of the check can support close to 64K-2000 PCBs > > > > Hmm. Interesting. I was told that NetBSD did not... > > Which version of BSD should I look at? A hash table on a static array of > > PCBs is a much better solution than letting a linked list get to 2000 > > entries... > > Oops. That's in a BSDI patch (PATCH K210-019) but I'm not sure about > FreeBSD or NetBSD distributions since I don't have one handy. The SYN_RCVD bug has been fixed in FreeBSD source. i should know, i wrote the patch. as a result, the attacker has to sink the machine in less than 75 seconds, else it begins to free resources. before the patch the attacker had ~11 minutes to do the deed. (would have been 2 hours but for retransmission of the SYN-ACK packet by the target) the bug is dicsussed in detail on page 191 of tcp/ip illustrated by rick stevens. we have not yet moved to a hask table. soon. our SO_MAXCONN is 128, rather than the common 5. jmb -- Jonathan M. Bresler FreeBSD Postmaster [email protected] FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB > > Curtis > > ps- (My 6 year old has a FreeBSD system, but its 2.0.5. Got to get > him to upgrade. :) darn tooting! ;) - - - - - - - - - - - - - - - - -
|