Subject: Re: Panix attack?
To: David Gilbert <firstname.lastname@example.org>
From: Jamie Downs <email@example.com>
Date: 09/22/1996 23:38:51
> bogus IP addresses rapidly to a server's TCP ports. Typically,
> machines have the ability to track 32 such 'almost-open' connections,
> but even greatly increasing this number is not, in itself, a solution.
This number should be quite a bit larger.
> Is NetBSD working on this problem?
There are a number of things that can be done to harden the kernel against
the so called SYN-Storm attack. Avi Freedman of netaxs.com has put together
a page containing instructions for suns, but the technical parts are almost
exact for NetBSD. The hardening involves two parts:
1. Changing the timeout for the TCP connections from 75 seconds to 15.
2. Changing the way the kernel deals with these Embryonic TCP connections,
and how large the Queue is.
I've supplied Mr Freedman with context diffs to change the related files.
You should only need to apply the diffs to the proper files, and compile a
new kernel. I haven't as yet tested the changes myself, but in his tests,
Freedman has seen performance as good as warding off 2000 packets per second.
His page can be found at:
I'm not sure whether he has posted the diff's yet. If you don't see them,
ask him for them, and I'm sure he'll be happy to give them to you. I may
also follow suit for what he's done for the suns, and compile object files
to drop into place, but this is only "one of those future projects"...