Michael Dillon wrote:
If it only takes 8 SYN packets to lock up a socket for 75 seconds then effective SYN flood attacks certainly *CAN* be launched from a dialup connection. And if the definition of an effective attack allows for intermittently shutting down a socket then effective attacks certainly *CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.
not 8, only 2 SYN packets into the same connection are needed (connection is a single src addr, src port, dest addr dest port 4-tuple) not 75 seconds, ~11 minutes. the essence of the bug is: one timer t_timer[TCPT_KEEP] used for 2 purposes --to hold the 75 second half-open timer --to hold the 2 hour keepalive timer the first SYN packet sets the timer to 75 seconds the second trips the bug and resets the timer to 2 hours so where does the 11 minutes come from? the server (target) send SYN-ACK packets, and retransmits the SYN-ACK until it either gets a response or gives up when TCP_MAXRXTSHIFT is exceeded. the latter take ~11 minutes. the fix is to qualify the settting of hte timer ala: if (TCPS_HAVEESTABLISHED(tp->t_state)) tp->t_timer[TCPT_KEEP] = tcp_keepidle; and to set the timer a each location where the TCP/IP state machine transitions to TCPS_ESTABLISHED. each half-open socket consumes 264 bytes of memory (assuming perfect allocation ;) all BSD derived TCP/IP implementations are/may be susceptible to this bug. that includes AIX, SVR4, and SunOS. stevens TCP/IP illustrated vol 3 p191 explains this much beter than i can jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB