Re: SYN flooding....

Eric.Schenk@dna.lth.se
Sun, 25 May 1997 16:30:34 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chris Evans: "2.0.30 network problems...?"
Previous message: Chris Evans: "SYN flooding...."
Maybe in reply to: Chris Evans: "SYN flooding...."

Chris Evans <chris@ferret.lmh.ox.ac.uk> writes:
>
>My kernel deemed it neccessary to say...
>
>Warning: possible SYN flooding. Sending cookies.
>
>How kind of it. But FROM WHO????
Two things:

(1) this does not necessarily mean you are getting syn flooded.
Note the word "possible". All that you can really say is that
you had more incoming requests for connects than you could
deal with. It may only mean that you should increase your listen
backlog on some service. If you are really under attack you
should be seeing lots of these messages. The 2.1.31 code should
at least report the port number so you know what service needs
to have its backlog increased.

(2) If you are really under attack, then by the very nature of the
SYN flood attack it is not possible to know from whom the attack
is coming. The kernel only knows the spoofed address on the the
SYN packets that are arriving, and those are anything but the
address of the attacker.

-- 
Eric Schenk                               www: http://www.dna.lth.se/~erics
Dept. of Comp. Sci., Lund University          email: Eric.Schenk@dna.lth.se
Box 118, S-221 00 LUND, Sweden   fax: +46-46 13 10 21  ph: +46-46 222 96 38

Next message: Chris Evans: "2.0.30 network problems...?"
Previous message: Chris Evans: "SYN flooding...."
Maybe in reply to: Chris Evans: "SYN flooding...."