nanog mailing list archives

SYN attack. how does it really work

From: "Jonathan M. Bresler" <jmb () freefall freebsd org>
Date: Tue, 17 Sep 1996 18:33:24 -0700 (PDT)

Michael Dillon wrote:


If it only takes 8 SYN packets to lock up a socket for 75 seconds then
effective SYN flood attacks certainly *CAN* be launched from a dialup
connection. And if the definition of an effective attack allows for
intermittently shutting down a socket then effective attacks certainly
*CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.


        not 8, only 2 SYN packets into the same connection are needed
                (connection is a single src addr, src port, dest addr
                 dest port 4-tuple)
        not 75 seconds, ~11 minutes.

        the essence of the bug is:

        one timer t_timer[TCPT_KEEP] used for 2 purposes
                --to hold the 75 second half-open timer
                --to hold the 2 hour keepalive timer
        the first SYN packet sets the timer to 75 seconds
        the second trips the bug and resets the timer to 2 hours

        so where does the 11 minutes come from?

        the server (target) send SYN-ACK packets, and retransmits
        the SYN-ACK until it either gets a response or gives up
        when TCP_MAXRXTSHIFT is exceeded.  the latter take ~11 minutes.

        the fix is to qualify the settting of hte timer ala:

        if (TCPS_HAVEESTABLISHED(tp->t_state))
                tp->t_timer[TCPT_KEEP] = tcp_keepidle;

        and to set the timer a each location where the TCP/IP state
        machine transitions to TCPS_ESTABLISHED.

        each half-open socket consumes 264 bytes of memory (assuming
        perfect allocation ;)

        all BSD derived TCP/IP implementations are/may be susceptible
        to this bug.  that includes AIX, SVR4, and SunOS.

        stevens TCP/IP illustrated vol 3 p191 explains this much beter
        than i can
jmb
--
Jonathan M. Bresler           FreeBSD Postmaster             jmb () FreeBSD ORG
FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/
PGP 2.6.2 Fingerprint:      31 57 41 56 06 C1 40 13  C5 1C E3 E5 DC 62 0E FB
- - - - - - - - - - - - - - - - -

Current thread:

Re: A modest proposal, (continued)
- - - Message not available
    - Re: A modest proposal Kelly J. Cooper (Sep 18)
    - Re: A modest proposal Robert E. Seastrom (Sep 18)
    - Message not available
    - Re: A modest proposal Kelly J. Cooper (Sep 18)
    - Re: A modest proposal Robert E. Seastrom (Sep 17)
    - Re: A modest proposal Michael Dillon (Sep 17)
    - Re: A modest proposal Robert E. Seastrom (Sep 17)
    - Re: A modest proposal Arthur Hyun (Sep 17)
    - Re: A modest proposal Avi Freedman (Sep 17)
    - Re: A modest proposal Dima Volodin (Sep 17)
    - Re: A modest proposal Avi Freedman (Sep 17)
    - SYN attack. how does it *really* work Jonathan M. Bresler (Sep 17)
    - Re: A modest proposal Curtis Villamizar (Sep 17)
- Re: A modest proposal Daniel W. McRobb (Sep 17)
- Re: A modest proposal Perry E. Metzger (Sep 18)
- Re: A modest proposal Vadim Antonov (Sep 17)
- Re: A modest proposal Sean Donelan (Sep 17)
- Re: A modest proposal Sean Donelan (Sep 17)
  - Re: A modest proposal Michael Dillon (Sep 17)
  - Re: A modest proposal Curtis Villamizar (Sep 17)
- Re: A modest proposal Paul Ferguson (Sep 18)
- Re: A modest proposal Paul Ferguson (Sep 18)

nanog mailing list archives

SYN attack. how does it *really* work

Current thread:

SYN attack. how does it really work