SUMMARY: denial of service attacks

chiem@azc.com
Fri, 26 Sep 1997 10:08:50 -0700 (PDT)

My original inquiry was:
>
>Up to a few patches before the latest set for 2.5.1, the following
>
>/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max 1024
>
>in the file /etc/init.d/inetinit
>
>worked in preventing denial of service attacks. Now, ndd doesn't take the
>tcp_conn_req_max anymore and complains about it. Does anyone know what
>the parameter is to increase the TCP listening queue?

Thanks to the people who responded:
brw@jazz.njit.edu
sysadm@its.brooklyn.cuny.edu
David Schiffrin <daves@adnc.com>
Shaun Welch <swelch@corp.home.net>
Casper Dik <casper@holland.Sun.COM>

It's patch 103582-11 that causes this.

The best response was from Casper Dik:

The old paremeter setting didn't really prevent denial of service attacks, it
made them more difficult.

After the new patch, the denial of service fix is in the TCP code; the
two new tunables are tcp_conn_req_max_q and tcp_conn_req_max_q0;
it's a split of the old one.

The first one is a queue of established connection (which successfully completed
the 3way handshake; only if your server is slow this queue can overflow).

The second queue is a queue that handles connections of which only the initial
SYN was received; if it overflows, old entries in the queue are dropped,
so possibly valid connections will still get through.

The default for q0 is 1024, and you dont' really need to tune it anymore.

Casper