Re: Stopping SYN floods.

cowzilla@gwbbs.northeast.net
Thu, 17 Oct 1996 21:13:11 -0500 (CDT)

I was just reading the last parts of Alan Cox's responses on bugtraq
about this... It seems he has a way to answer incoming SYNs (once the
queue is filled up) with sequence numbers hashed in such a way that the
kernel can essentially "forget" about them until a SYN/ACK comes back...
and then it can grab all the useful info back out of the sequence
number... I am probably wrong about a few things here since im pretty new
to networking...I just like playing around with it and trying to
understand it... :) (anyone lemme know if what i said made any sense)..

BTW for a while i was thinking what you were thinking... and i didnt see
too many problems with it, except when someone might have a fast enough
flood to make your queue wrap around before anyaone else could estblish a
connection...

Ive got some other networking questions, but I'll save em for a later
post.. :)

On Thu, 17 Oct 1996, Chris Thornhill wrote:

> Hello,
>
> I seems the cool hackerish thing to these days is to flood someones
> port with spoofed SYN packets, disallowing any further connections
> to the port. Okay, fine. It seems to me that there is an easy
> solution to this (in theory). Forgive my lack of proper terminology
> here, but couldn't the tcp/ip stack be written so that if its connection
> table for a particular port fills, the next incoming SYN packet immediatly
> causes the oldest connection that is waiting for an ACK from it's SYNACK
> to time out?
>
> Just wanted to get a few peoples thoughts on the matter. :)
>
> - Chris
>
> P.S. Sorry about that run on sentence. :)
>