On Wed, 11 Sep 1996, Avi Freedman wrote:
In order to build a SYN-resistant BSD kernel, you need to modify one file in src/sys/os, uipc_socket2.c, and you also need to modify src/sys/netinet/tcp_timer.h and you have to rebuild tcp_usrreq.c and tcp_input.c in the netinet directory.
For those of you running Solaris 2.5, this can be done using ndd. The man page and the "ndd /dev/tcp \?" command will get you started. You will have to tweak the following variables "tcp_conn_req_max" and "tcp_conn_grace_period". This will have roughly the same effects as Avi's patches.
From the bottom level up, change TCPTV_KEEP_INIT from 75*PR_SLOWHZ to 7*PR_SLOWHZ (or whatever # you want). This timeout (the 75) is the number of seconds that the kernel will keep un-established TCP PCB/sockets around for... When the SYN is received, it is acknowledged and the PCB && socket are set up for the embryonic session; the goal is to rip those things out of any queues they're in more aggressively.
On web servers, remote users routinely take longer than this to set up connections. Anything less than 15-20 seconds and you will start loosing hits from those ISP's that Metcalfe seems to frequent. This isn't a criticism of Avi's patch. Its just something to be aware of.
On a Sparc 1+ w/ 4.1.4, I could sustain a 200-400 SYN-packet/sec attack and still remain functional (and quick for a 1+), but the machine didn't normally run web servers... Even when I nailed it with 1000 SYNs/sec, the machine continued functioning but I couldn't connect to the socket being nailed. A second after stopping the heavier attack, I could.
I have no idea what this will do for performance on Solaris 2.5 machines. -chris PS Does anyone have a good source of info on the Solaris implementation for those of us not lucky enough to have source licenses?