[rc5] Re: SYN flood

David Sowder davids at cosmic.swau.edu
Wed Jun 18 14:02:02 EDT 1997

On Wed, 18 Jun 1997, Donald J. Rude wrote:
> ratjamm at MIT.EDU wrote:
> >
> > The people you should really be contacting about this attack are the people at
> > http://www.cert.org/
>  Thank you for this information, I'm going to look into it.
> The reason I was reporting it to the RC5 mailing list was simply because
> I wanted to let other people (running the personal proxy) to know it was
> happening (and when) so other people could be aware.  AND if it's happening
> to other people (because of RC5?) we can coordinate our own information.
> (Yes I CC'd this to the RC5 list again.  Perhaps other people want that URL.)

I'm CC'ing the list because there seem to be quite a few linux users here
and they find this tidbit useful: 

If you only get that message once or twice at a time, it's probably
because your machine has gotten a request or two more than it had queue
entries listening for.  Most services have a connection backlog queue that
handles connections that can't be currently processed, but will be
processed as it gets to them in the next x number of seconds.  From what I
understand from lurking on the Linux lists, you'll get the possible SYN
flooding message if one of these backlog queues is ~full when another
request comes in, i.e. requests are coming in too fast.  They've said that
this may indicate that the backlog queues need to be made larger.  (I
think I recall the default being 5 entries, but I may be mistaken.)

If you get _a lot_ of "possible SYN flood" messages from the kernel,
_then_ you are most likely under attack.  A few messages is normal as I
understand it.

David R. Sowder           sowderd at swau.edu                  davids at hpnc.com
Assistant Director of Information Services           Chief Network Engineer
Southwestern Adventist University              Hypernet Communications Inc.
http://www.swau.edu/~sowderd/                   http://www.jci.net/~davids/

To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list