[rc5] Re: SYN flood
davids at cosmic.swau.edu
Wed Jun 18 14:02:02 EDT 1997
On Wed, 18 Jun 1997, Donald J. Rude wrote:
> ratjamm at MIT.EDU wrote:
> > The people you should really be contacting about this attack are the people at
> > http://www.cert.org/
> Thank you for this information, I'm going to look into it.
> The reason I was reporting it to the RC5 mailing list was simply because
> I wanted to let other people (running the personal proxy) to know it was
> happening (and when) so other people could be aware. AND if it's happening
> to other people (because of RC5?) we can coordinate our own information.
> (Yes I CC'd this to the RC5 list again. Perhaps other people want that URL.)
I'm CC'ing the list because there seem to be quite a few linux users here
and they find this tidbit useful:
If you only get that message once or twice at a time, it's probably
because your machine has gotten a request or two more than it had queue
entries listening for. Most services have a connection backlog queue that
handles connections that can't be currently processed, but will be
processed as it gets to them in the next x number of seconds. From what I
understand from lurking on the Linux lists, you'll get the possible SYN
flooding message if one of these backlog queues is ~full when another
request comes in, i.e. requests are coming in too fast. They've said that
this may indicate that the backlog queues need to be made larger. (I
think I recall the default being 5 entries, but I may be mistaken.)
If you get _a lot_ of "possible SYN flood" messages from the kernel,
_then_ you are most likely under attack. A few messages is normal as I
David R. Sowder sowderd at swau.edu davids at hpnc.com
Assistant Director of Information Services Chief Network Engineer
Southwestern Adventist University Hypernet Communications Inc.
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.
More information about the rc5