Subject: Re: erroneous ack packet, ideas please?
To: Andrew Brown <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 07/11/1997 13:15:46
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Andrew" == Andrew Brown <firstname.lastname@example.org> writes:
Andrew> solaris 2.3 and 2.4 had something called
Andrew> tcp_eager_listeners which was (i believe) implemented as a
Andrew> system-wide setting to affect tcp connections. what it
Andrew> did was cause the accept() call to return after receipt of
I understand that DG-Unix had a similar thing (this from reading the
CERN httpd source)
Andrew> the initial syn packet, not after the entire three-way
Andrew> handshake had completed. i believe the idea was that one
Andrew> could more effectively screen connections by making the
Andrew> services appear not to be supported, rather than (ala tcp
Andrew> wrappers) first accepting the connection, and then
Andrew> dropping it.
I was going to implement this for a firewall I used to work on. It
would be much nice for a user to see "Connection refused" than "No
data" when the site they want to access isn't allowed. (e.g. in a
transparent HTTP proxy).
It also gives you send the outgoing SYN (in the case of a proxy) out
an RTT earlier, perhaps reducing the connection setup latency caused
Andrew> i've got my box at home to the point where accept()
Andrew> returns after the first syn (via a setsockopt() on the
Andrew> "master" socket), subsequent syns are simply "absorbed",
Yes, this is much better than a global parameter, I sort of feel
that perhaps it should be a new system call: eager_accept()?
Andrew> i haven't got the reset packet working yet (although my
Andrew> computer notices that that's what i'm trying to do) and
Andrew> then there would be some finishing work (like making it a
Andrew> config option, and adding a sysctl so that you can compile
Andrew> it in but turn it off for later), but other than that, i'm
Andrew> pretty much done.
Huh, so you would be global? Bad.
I'm also worried that you would make SYN attacks worse. That was one
reason for not implementing things.
] The sun rarely sets on Helsinki | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] email@example.com http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----