Subject: Re: erroneous ack packet, ideas please?
To: Andrew Brown <>
From: Michael Richardson <>
List: tech-net
Date: 07/11/1997 13:15:46

>>>>> "Andrew" == Andrew Brown <> writes:
    Andrew> solaris 2.3 and 2.4 had something called
    Andrew> tcp_eager_listeners which was (i believe) implemented as a
    Andrew> system-wide setting to affect tcp connections.  what it
    Andrew> did was cause the accept() call to return after receipt of

  I understand that DG-Unix had a similar thing (this from reading the
CERN httpd source)

    Andrew> the initial syn packet, not after the entire three-way
    Andrew> handshake had completed.  i believe the idea was that one
    Andrew> could more effectively screen connections by making the
    Andrew> services appear not to be supported, rather than (ala tcp
    Andrew> wrappers) first accepting the connection, and then
    Andrew> dropping it.

  I was going to implement this for a firewall I used to work on. It
would be much nice for a user to see "Connection refused" than "No
data" when the site they want to access isn't allowed. (e.g. in a
transparent HTTP proxy).
  It also gives you send the outgoing SYN (in the case of a proxy) out
an RTT earlier, perhaps reducing the connection setup latency caused
by proxies.

    Andrew> i've got my box at home to the point where accept()
    Andrew> returns after the first syn (via a setsockopt() on the
    Andrew> "master" socket), subsequent syns are simply "absorbed",

  Yes, this is much better than a global parameter, I sort of feel
that perhaps it should be a new system call: eager_accept()? 

    Andrew> i haven't got the reset packet working yet (although my
    Andrew> computer notices that that's what i'm trying to do) and
    Andrew> then there would be some finishing work (like making it a
    Andrew> config option, and adding a sysctl so that you can compile
    Andrew> it in but turn it off for later), but other than that, i'm
    Andrew> pretty much done.

  Huh, so you would be global? Bad.
  I'm also worried that you would make SYN attacks worse. That was one
reason for not implementing things. 

]                 The sun rarely sets on Helsinki               | one quark   [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    | two quark   [
] | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface