SYN flood messages flooding my mailbox

• Previous message (by thread): SYN flood messages flooding my mailbox
• Next message (by thread): SYN flood messages flooding my mailbox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> In message <199609161637.MAA20184 at netaxs.com>, Avi Freedman writes:
> > 
> > > implementation.  This is a denial of service exposure that has gone
> > > unaddressed in host implementations until recently.  BSD now uses a
> > > hash table on the TCP PCBs (protocol control blocks in the kernel) and
> > > with change of removal of the check can support close to 64K-2000 PCBs
> > 
> > Hmm.  Interesting.  I was told that NetBSD did not...
> > Which version of BSD should I look at?  A hash table on a static array of
> > PCBs is a much better solution than letting a linked list get to 2000
> > entries...
> 
> Oops.  That's in a BSDI patch (PATCH K210-019) but I'm not sure about
> FreeBSD or NetBSD distributions since I don't have one handy.
> 
I'm not sure about prior releases, but FreeBSD 2.1.0 and above do hash
PCB's, with a default hash size of 128.  The constant name is TCBHASHSIZE
in netinet/tcp_subr.c.  To raise it, just add

options         "TCBHASHSIZE=2048"	# More capable TCB hash

  ... and if you feel the need, add

options         "UDBHASHSIZE=1024"	# More capable UDB hash

to your kern config file.

> Curtis
> 
> ps- (My 6 year old has a FreeBSD system, but its 2.0.5.  Got to get
> him to upgrade. :)
> 
Version 2.1.5-Release is now available.  ;-)

  Cheers,

   -Matt

• Previous message (by thread): SYN flood messages flooding my mailbox
• Next message (by thread): SYN flood messages flooding my mailbox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]