>This afternoon three of us were watching a d00d have a go at a web server
>He was spoofing IP and using stolen account information of a diplomat
>No problem there Damn near impossible to trace
>But he was also constantly hitting a large web server with SYN packets on
>every port that he could reach After about 15 minutes the web server
>crashed I thought SYNs were used against routers and gateways What was
>this intrepid exlorer trying to do?
read stevens tcp/ip illustrated vol 3 chap 14, the section about
the SYN_RCVD bug. the first SYN creates a "proto" connection and sets the
tcp control block timer to 75 seconds (TCPTV_KEEP_IDLE). the second
SYN (without ACK) set the timer to 2 hours (tcp_keepidle)--even though the
connection has *not* been established.
hammering the server with SYN's (2 per association <server ip>,
<server port>, <client ip>, <client port>) slowly chews thru memory. ;(
the code is in tcp_input.c
* Segment received on connection.
* Reset idle time and keep-alive timer.
tp->t_idle = 0;
tp->t_timer[TCPT_KEEP] = tcp_keepidle; <--------
should be qualified with "if ( tp->t_state == TCPS_ESTABLISHED )"
or at least "if ( tp->t_state != TCPS_SYN_RECEIVED )"
WARNING: i have not tested this throughly enough to allay my
Jonathan M. Bresler 202-452-2831 breslerj @
MS-169 Federal Reserve Board of Governors Washington DC 20551
Speaking for myself. Others speak for the Federal Reserve Board of Governors