Re: SYN and Solaris

[Sanjay Dani(maillists) <indus () professionals com>]

> From: dvv () sprint net (Dima Volodin)
> The values to play with are tcp_conn_req_max (defines the max value for
> listen queue), tcp_ip_notify_cinterval (makes tcp send another SYN???),
> tcp_ip_abort_cinterval (aborts connection and frees the slot). Note "c"
> in "cinterval". I understand these timer values work for both incoming
> and outgoing connections.

On Solaris, the default for tcp_ip_abort_cinterval is
180000 ms (3 mins). You could try reducing it to a few seconds
(at the risk of denying service to legit clients connecting over
slow links) using

        #ndd -set /dev/tcp tcp_ip_abort_cinterval <value in ms>

This affects ALL tcp conenctions on the system.

Solaris also lets you set the parameter for a specific destination
port if the SYN attacker does not use a random destination port:

        #include <netinet/in.h>
        #include <netinet/tcp.h>
        ....
        int value = <whatever>;
        
        setsockopt(fd, IPPROTO_TCP, TCP_CONN_ABORT_THERSHOLD, &value);
        ....

Sanjay.

PS. This feature may or may not be documented--I got it from a
friend at SunSoft.



- - - - - - - - - - - - - - - - -