Subject: Re: syn flooding handling ..
To: Murhy Paul <learning_netbsd@hotmail.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-security
Date: 03/18/2004 21:42:37
On Thu, Mar 18, 2004 at 02:46:14PM +0530, Murhy Paul wrote:
> [...]
> >From very little I know there is no definite fail proof solution to syn 
> attacks.
> Best or most widely used being syn cookies / rst cookies ..
> I was looking at the source code and tcp_input.c file does have all syn 
> cache handling.
> But, being new wanted to know if that is on by default.
> ( version I am looking onto is 1.6.1 .. )

As far as I know it's on by default, and was in the 1.6 branch.

> or does it have to be turned on, variables one can play with in this regard 
> ??

I think you have the net.inet.tcp.syn_cache_limit and
net.inet.tcp.syn_bucket_limit sysctls, maybe others.

> can limits be set per port / service ??

No.

> 
> And how well / what is the behaviour of netbsd when a default installation 
> is put in front a spoofed ip syn attack ?

I think the developers who implemented the sync cache tested it with
a flood on a 100Mbs LAN.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--