Actually, while dealing with an ongoing SYN attack, I have discovered
several items in the code that need to be corrected. This message is
actually logged once per second as the check is for HZ, not (HZ*60)
Search for the comment in the following file and correct the line to the
below, otherwise, your logs will be quite filled during an attack.
/usr/src/linux/net/ipv4/tcp_input.c
/* Only let this warning get printed once a minute. */
if (jiffies - warning_time > HZ*60) {
warning_time = jiffies;
printk(KERN_INFO "Warning: possible SYN flooding. Sending cookies.\n");
}
To further this discussion, I have recompiled my kernel with the patches
we have discussed and turned on profiling. I am a neophyte at this, so
I'll need your help properly representing the data. If you can please
direct me to useful tools for dealing with the kernel profiling, I would
appreciate it. I'm getting the profiling package on sunsite, are there
others that you guys prefer?
To any others that are developing SYN code, my host has been under a SYN
attack for the last 6 days. Linux is proving to stand up remarkably well
and this is an excellent opportunity to 'rad harden' the kernel.
David
[reply to: david@kalifornia.nospam.com without the nospam]
*** *** Flames will go to /dev/null
** WARNING ** SPAM mail will be returned to you at a
*** *** minimum rate of 50,000 copies per email