Syn info and a patch for linux 2.0.21

From blizzard@odin.nyser.net Wed Sep 25 11:55:12 1996
From: Christopher Blizzard <blizzard@odin.nyser.net>
To: nanog@merit.edu, iepg@iepg.org
Subject: Re: New Denial of Service Attack ... 

In message <199609250552.AA19213@zen.isi.edu>, postel@ISI.EDU writes:
:----- Begin Included Message -----
:
:Subject: Re: FW: Latest attacks....
:Date: Thu, 19 Sep 1996 08:39:02 +0100
:From: Jon Crowcroft 
:
:
:Date: Wed, 18 Sep 1996 14:32:14 -0600
:From: vjs@mica.denver.sgi.com (Vernon Schryver)
:Subject: SYN bombing defense
:
:As reported here, in article 
:in comp.protocols.tcp-ip, Robert Morris   wrot
:e:
:
:>Perhaps TCP's listen queue should use random early drop (RED), a
:>technique used by routers to prevent any one source from monopolizing
:>a queue. See http://www-nrg.ee.lbl.gov/floyd/abstracts.html#FJ93 or
:>rfc1254.
:> ...
:
:I've just hacked IRIX 6.3 to do random-drop when sonewconn() in
:tcp_input.c fails.  It works great!  An IP22 receiving 1200 bogus
:SYN's per second directed to port 23 continues to answer requests
:for new telnet as if nothing is happening.
:

Alan Cox just released a patch vs Linux 2.0.21 that does this.  It works 
quite well.  As best I can tell from the patch and the mail that preceded 
it it attempts to maintain about 30% free in the receive queue.  I've 
been running it for a couple of days and it does quite well defending 
against these attacks.  I've stuck it on my web page.

http://odin.nyser.net/~blizzard/linux/

--Chris

:
:Vernon Schryver,  vjs@sgi.com
:
:------- End of Forwarded Message
:
:----- End Included Message -----
-------------------------------------------------------------------
Christopher Blizzard   | "The truth knocks on the door and you say
blizzard@nysernet.org  | 'Go away.  I'm looking for the truth,' and
NYSERNet, Inc.         | so it goes away."  --Robert Pirsig
-------------------------------------------------------------------


From panzer@DHP.COM Sun Sep 29 21:21:38 1996
From: Matt <panzer@DHP.COM>
To: Multiple recipients of list SERVER-LINUX <SERVER-LINUX@NETSPACE.ORG>
Subject: Re: SERVER-LINUX Digest - 24 Sep 1996 to 25 Sep 1996

Christopher Blizzard <blizzard@nysernet.org> wrote:
: Alan Cox did release a patch for testing that I haven't had any problems
: with.  If you want you can download the patch from:

: http://odin.nyser.net/~blizzard/linux/

: Please read the mail from Alan regarding this patch and realize the
: consequences of what it does.  Thanks.

ftp://ftp.dhp.com/pub/linux/security/linux.2.0.21.syn-flood.patch

It's a hand generated one, as the above one suffers some major destruction
if retrieved via LYNX (line wrape is done via carriage-return).  Not sure
if this is a product of Lynx, or not.  (One day I'll bother with X11 :)

Running a test box with the patch listed above, and a slightly modded
version of my virtual inetd (SOMAXCONN added to listen call), and I was
able to keep a synflood on local ether going, and still telnet in.

 -Matt (panzer@dhp.com)  --  DataHaven Project - http://www.dhp.com/
  "That which can never be enforced should not be prohibited."


From alan@CYMRU.NET Mon Sep 30 05:59:35 1996
From: Alan Cox <alan@CYMRU.NET>
To: Multiple recipients of list SERVER-LINUX <SERVER-LINUX@NETSPACE.ORG>
Subject: Re: SERVER-LINUX Digest - 24 Sep 1996 to 25 Sep 1996

> ftp://ftp.dhp.com/pub/linux/security/linux.2.0.21.syn-flood.patch
>
> It's a hand generated one, as the above one suffers some major destruction
> if retrieved via LYNX (line wrape is done via carriage-return).  Not sure
> if this is a product of Lynx, or not.  (One day I'll bother with X11 :)

The master copy (and it does patch ok) is on

        http://www.uk.linux.org/NetNews.html

This is the one which gets updated from time to time


<webmaster@mtiweb.com>
Last modified