linux security - Feb 1997 - forwarded from BoS: Linux anti-SYN flooding patch

I have just finished a patch to linux 2.0.29 that provides
the SYN cookies protection against SYN flood attacks.
You can grab it from my home page at:

http://www.dna.lth.se/~erics/software/tcp-syncookies-patch-1.gz

You can also follow the pointers from my home page (see the signature)
to get a very short blurb about this patch.

Quick synopsys: This implements the SYN cookie defense
against SYN flooding. This implementation is a full bells and whistles
version of the defense worked out by myself and Dan Bernstein.
The defense is only used when an attack appears to be under way.
It also implements an alternative defense that I call RST cookies.
RST cookies have the drawback that they may not make it through
all firewall setups. They have the advtange that they don''t increase
the probability of a stuck TCP over lossey connections.
(SYN cookies and random drop defenses both increase this probability.
SYN cookies slightly more than random drops.) Its in the patch right
now because I am still doing some experiments with it, and because
I kind of like the idea. You can turn on both defenses at once if
you want, but one or the other alone should be enough.

This patch does not require any modifications to the size of the
backlog queue in programs that need to be defended. Just apply the
kernel patch, turn on the option in the kernel configurations and
you should be set.

I would classify this is an alpha quality patch. I''ve tested it
myself, and it seems to work, but I make no guarantees. Please
give me feedback!

- --
Eric Schenk                               www: http://www.dna.lth.se/~erics
Dept. of Comp. Sci., Lund University          email: Eric.Schenk@dna.lth.se
Box 118, S-221 00 LUND, Sweden   fax: +46-46 13 10 21  ph: +46-46 222 96 38

[mod: Forwarded by Richard Jones and Robert Stone before it reached
linux-security -- REW]