Firewalls: Improving Solaris resistance to syn attacks

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Improving Solaris resistance to syn attacks
From:	Geoff Mulligan <geoff @ mulligan . com>
Date:	Fri, 20 Sep 1996 03:00:45 -0600
To:	firewalls @ GreatCircle . COM

There are two pertinent kernel variables that are settable via ndd

tcp_conn_req_max - which sets the maximum number of connections queued
per listener (default 32). It has a maximum allowed value of 1024.

tcp_ip_abort_cinterval - sets the number of milliseconds to hold the
queued connections before dropping them (default 180 seconds). It has a
minimum allowed value of 1 second and a max of 4294967 seconds or about
50 days.

I've written (and now testing) a program (synsave) that dynamically
adjusts the tcp_ip_abort_cinterval value depending on the number of half
open connections (hocs) queued on the system.  When the number of hocs
exceeds a threshold value the program adjusts the value downward to more
agressively drop these connections.  When the number of hocs drops to a
sane level the program will adjust tcp_ip_abort_cinterval back to its
preset value.

	geoff

Follow-Ups:

Re: Improving Solaris resistance to syn attacks
From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>

Indexed By Date	Previous:	Re: Recomended or Not Sun Netra Systems ? From: "Stefan Berg" <stefan @ sic . se>
Indexed By Date	Next:	Re: ip forwarding - turning it off ? From: Larry Chin <larry @ ca . cch . com>
Indexed By Thread	Previous:	Netscape proxy and firewall From: Felber @ abacus . ch (Hubert Felber)
Indexed By Thread	Next:	Re: Improving Solaris resistance to syn attacks From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>