FreeBSD SYN attack info

From Fri Sep 20 15:34:03 1996
From: Matt Bush <>
To: nanog@MERIT.EDU
Subject: Re: SYN flood messages flooding my mailbox

> In message <>, Avi Freedman writes:
> > 
> > > implementation.  This is a denial of service exposure that has gone
> > > unaddressed in host implementations until recently.  BSD now uses a
> > > hash table on the TCP PCBs (protocol control blocks in the kernel) and
> > > with change of removal of the check can support close to 64K-2000 PCBs
> > 
> > Hmm.  Interesting.  I was told that NetBSD did not...
> > Which version of BSD should I look at?  A hash table on a static array of
> > PCBs is a much better solution than letting a linked list get to 2000
> > entries...
> Oops.  That's in a BSDI patch (PATCH K210-019) but I'm not sure about
> FreeBSD or NetBSD distributions since I don't have one handy.
I'm not sure about prior releases, but FreeBSD 2.1.0 and above do hash
PCB's, with a default hash size of 128.  The constant name is TCBHASHSIZE
in netinet/tcp_subr.c.  To raise it, just add

options         "TCBHASHSIZE=2048"	# More capable TCB hash

  ... and if you feel the need, add

options         "UDBHASHSIZE=1024"	# More capable UDB hash

to your kern config file.

> Curtis
> ps- (My 6 year old has a FreeBSD system, but its 2.0.5.  Got to get
> him to upgrade. :)
Version 2.1.5-Release is now available.  ;-)



From Sat Sep 21 21:09:33 1996
From: "Jonathan M. Bresler" <>;
Subject: SYN attack. how does it *really* work

Michael Dillon wrote:
> If it only takes 8 SYN packets to lock up a socket for 75 seconds then
> effective SYN flood attacks certainly *CAN* be launched from a dialup
> connection. And if the definition of an effective attack allows for
> intermittently shutting down a socket then effective attacks certainly
> *CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.

	not 8, only 2 SYN packets into the same connection are needed
		(connection is a single src addr, src port, dest addr
		 dest port 4-tuple)
	not 75 seconds, ~11 minutes.

	the essence of the bug is:

	one timer t_timer[TCPT_KEEP] used for 2 purposes
		--to hold the 75 second half-open timer
		--to hold the 2 hour keepalive timer
	the first SYN packet sets the timer to 75 seconds
	the second trips the bug and resets the timer to 2 hours

	so where does the 11 minutes come from?

	the server (target) send SYN-ACK packets, and retransmits
	the SYN-ACK until it either gets a response or gives up
	when TCP_MAXRXTSHIFT is exceeded.  the latter take ~11 minutes.

	the fix is to qualify the settting of hte timer ala:

	if (TCPS_HAVEESTABLISHED(tp->t_state))
		tp->t_timer[TCPT_KEEP] = tcp_keepidle;

	and to set the timer a each location where the TCP/IP state
	machine transitions to TCPS_ESTABLISHED.

	each half-open socket consumes 264 bytes of memory (assuming
	perfect allocation ;)

	all BSD derived TCP/IP implementations are/may be susceptible
	to this bug.  that includes AIX, SVR4, and SunOS.

	stevens TCP/IP illustrated vol 3 p191 explains this much beter
	than i can
Jonathan M. Bresler           FreeBSD Postmaster             jmb@FreeBSD.ORG
FreeBSD--4.4BSD Unix for PC clones, source included.
PGP 2.6.2 Fingerprint:      31 57 41 56 06 C1 40 13  C5 1C E3 E5 DC 62 0E FB

Last modified