Re: Patches/Bugfix (SYN attack)

Wolfram Kleff (kleff@athene.informatik.uni-bonn.de)
Sat, 21 Sep 1996 12:26:04 +0200 (MET DST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Matthias Urlichs: "Re: 2.0.21 crashes with ISDN"
Previous message: Alain Knaff: "Re: IP Alias Limit"
Next in thread: Alan Cox: "Re: Patches/Bugfix (SYN attack)"
Reply: Alan Cox: "Re: Patches/Bugfix (SYN attack)"

> > - The TCP SYN attack stops Version 2.0.20 even if no programs are listening to
> > any port.
>
> I've not duplicated that so far. Work is underway for a fix to the SYN
> attacks. I think thats the only one being actively used we have a problem
> with. The fragment bomb attacks don't take out Linux and we have secure
> TCP sequence numbers sorted.
>
> The SYN one is an unpleasant one.

Thank you for your reply,
perhaps I haven't completely described the problem:
Its not only the "usual" SYN attack, which I know you are aware of,
(you have answered this on the various mailing lists :-).
The problem with kernel 2.0.20 is the fact that the kernel consumes
extremely much load while it is attacked. (up to 10.0 - it can't even
recognice a keypress)
Well, my attack is somewhat different,
Demon9's paper guessed a rather small amount of SYN packets but I
tried to really flood the other computer connected via a local ethernet.
As soon as the flood stops, anything is back to normal (ok, large amount
of SYN "connections").
This only happens if the faked source host adr is really not reachable.
There is no need for a listening program/daemon, which the "usual" SYN
attack needs.

I suppose that the actual implementation of the timing code for the SYN
timeout is too slow ?

Thanks,
Wolfram

Next message: Matthias Urlichs: "Re: 2.0.21 crashes with ISDN"
Previous message: Alain Knaff: "Re: IP Alias Limit"
Next in thread: Alan Cox: "Re: Patches/Bugfix (SYN attack)"
Reply: Alan Cox: "Re: Patches/Bugfix (SYN attack)"