Subject: Re: syn flooding handling ..
To: Murhy Paul <learning_netbsd@hotmail.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-help
Date: 03/18/2004 21:42:37
On Thu, Mar 18, 2004 at 02:46:14PM +0530, Murhy Paul wrote:
> [...]
> >From very little I know there is no definite fail proof solution to syn
> attacks.
> Best or most widely used being syn cookies / rst cookies ..
> I was looking at the source code and tcp_input.c file does have all syn
> cache handling.
> But, being new wanted to know if that is on by default.
> ( version I am looking onto is 1.6.1 .. )
As far as I know it's on by default, and was in the 1.6 branch.
> or does it have to be turned on, variables one can play with in this regard
> ??
I think you have the net.inet.tcp.syn_cache_limit and
net.inet.tcp.syn_bucket_limit sysctls, maybe others.
> can limits be set per port / service ??
No.
>
> And how well / what is the behaviour of netbsd when a default installation
> is put in front a spoofed ip syn attack ?
I think the developers who implemented the sync cache tested it with
a flood on a 100Mbs LAN.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--