SYN Resisting
Chris Layton
cll at cais.cais.com
Wed Sep 11 21:54:02 UTC 1996
On Wed, 11 Sep 1996, Avi Freedman wrote:
>
> In order to build a SYN-resistant BSD kernel, you need to modify one
> file in src/sys/os, uipc_socket2.c, and you also need to modify
> src/sys/netinet/tcp_timer.h and you have to rebuild tcp_usrreq.c and
> tcp_input.c in the netinet directory.
For those of you running Solaris 2.5, this can be done using ndd. The man
page and the "ndd /dev/tcp \?" command will get you started. You will have
to tweak the following variables "tcp_conn_req_max" and
"tcp_conn_grace_period". This will have roughly the same effects as Avi's
patches.
>
> >From the bottom level up, change TCPTV_KEEP_INIT from 75*PR_SLOWHZ
> to 7*PR_SLOWHZ (or whatever # you want). This timeout (the 75) is
> the number of seconds that the kernel will keep un-established TCP
> PCB/sockets around for... When the SYN is received, it is acknowledged
> and the PCB && socket are set up for the embryonic session; the goal
> is to rip those things out of any queues they're in more aggressively.
On web servers, remote users routinely take longer than this to set up
connections. Anything less than 15-20 seconds and you will start loosing
hits from those ISP's that Metcalfe seems to frequent. This isn't a
criticism of Avi's patch. Its just something to be aware of.
>
> On a Sparc 1+ w/ 4.1.4, I could sustain a 200-400 SYN-packet/sec attack
> and still remain functional (and quick for a 1+), but the machine didn't
> normally run web servers... Even when I nailed it with 1000 SYNs/sec,
> the machine continued functioning but I couldn't connect to the socket
> being nailed. A second after stopping the heavier attack, I could.
>
I have no idea what this will do for performance on Solaris 2.5 machines.
-chris
PS Does anyone have a good source of info on the Solaris implementation
for those of us not lucky enough to have source licenses?
More information about the NANOG
mailing list