SYN Resisting
Chris Layton
cll at cais.cais.com
Thu Sep 12 05:13:46 UTC 1996
This is my last post on this as we are drifting into the realms of network
programming and OS tuning and far beyond the fringes of NANOG relevancy.
On Wed, 11 Sep 1996, Noam Freedman wrote:
>
> Avi's patches center around removing the limit on the size of the linked
> list. With ndd, you can only raise the limit to 1024. Thus, the main
> goal of Avi's patch is not possible.
>
Thats true. I was mainly trying to give those of us running a modern
version of SunOS pointers on where to start.
> > On web servers, remote users routinely take longer than this to set up
> > connections. Anything less than 15-20 seconds and you will start loosing
> > hits from those ISP's that Metcalfe seems to frequent. This isn't a
> > criticism of Avi's patch. Its just something to be aware of.
>
> Agreed. I would say that a good realistic limit is 30. Anything below
> that and you WILL be kicking off valid connections. However, I would lower
> it as soon as I knew I was being attacked.
Yes, but this need to be pointed out so that you don't get people putting
patches on for prevention and then wondering why they have other problems.
>
> Someone needs to make similar modifications to Solaris to remove the artificial
> limit (assuming the Solaris implimentation does not have a hard limit (ie:
> based on something like an array instead of a linked list.)
I agree. The Solaris docs are very poor on the details of the TCP
implementation. Even the catalyst/developper docs are contradictory about
the tcp connection limits and such. I'm going to take a look at the src
and see whats actually going on. I also want to check if the limits are a
ndd thing. If so that can be gotten around using your friend adb.
-chris
>
> - Noam
>
More information about the NANOG
mailing list