Re: SYN trouble, hardware or software?

Andi Kleen (ak@muc.de)
Wed, 22 Jul 1998 21:17:44 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: kuznet@ms2.inr.ac.ru: "Re: inodes are not cleared!"
Previous message: kuznet@ms2.inr.ac.ru: "Re: inodes are not cleared!"

On Wed, Jul 22, 1998 at 07:32:36PM +0200, Geert Uytterhoeven wrote:
> On 22 Jul 1998, Andi Kleen wrote:
> > Geert Uytterhoeven <Geert.Uytterhoeven@cs.kuleuven.ac.be> writes:
> > > On Wed, 22 Jul 1998, Chris Black wrote:
> > > > handshake (I think). We get messages on the master suck as:
> > > > Jul 21 20:47:58 isrec-insect kernel: Warning: possible SYN flood from
> > > > 192.168.1.12 on 192.168.1.1:20817. Sending cookies.
>
> ...
>
> > The warning simply means that connection requests are comming in faster
> > than the server can process them.
> >
> > The syn cookie code keeps no per host state of course, just a
> > per-socket-global counter and timestamp (it would make no sense because in
> > real syn flood attacks the source addresses are usually forged). So the
> > syn cookie code will just report one packet that happened to overflow
> > the backlog queue (and that the warning message load limiter let through)
>
> IC.
>
> BTW, one of the other persons on our net winnuked the first IP address that was
> assumed to be a SYN flooder. It brought that machine down, but IIRC the SYN
> flood warnings didn't stop until I rebooted the server.

It'll take a few minutes until the socket backlog of bogus sockets has
been cleared (you can see that by looking for lots of SYN_RECV sockets
in netstat -t output, and their timer status). When I remember it right
2.0.30 was a bit too aggressive at reporting syn flooding, but that
was fixed in later 2.0 kernels.

If you syn flooder used a syn flooding program that didn't forge its
source address he was really clueless @) [or his ISP has good filters
against spoofing, but then he still could forge with some other address
on the same network, so you might have gotten the wrong one]. The best
way to verify if a syn flood is still going on is to check with tcpdump.

Also note that it is not always an attack - some outdated Mac and old
3.1 Windows stacks (wintrumpet) had bugs that lead them to cause a
syn flood in some circumstances.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html

Next message: kuznet@ms2.inr.ac.ru: "Re: inodes are not cleared!"
Previous message: kuznet@ms2.inr.ac.ru: "Re: inodes are not cleared!"