Re: how to check current backlog queue size(against synflood)

• Previous message: Kurt Seifried: "Re: IPChains Question (compatibility mode on kernel 2.4.x)"
• In reply to: SB CH: "how to check current backlog queue size(against synflood)"
• Next in thread: Seth Arnold: "Re: how to check current backlog queue size(against synflood)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 12 May 2003 13:48:46 -0700
To: SB CH <chulmin2@hotmail.com>

> AFAIK, the backlog queue is flooded and fulled with the facked syn packets.
> so, anyone can increase his backlog queue like this.
>
> echo 512 > /proc/sys/net/ipv4/tcp_max_syn_backlog
>
> How can I check current backlog queue size? any command or program?

To view:
        $ cat /proc/sys/net/ipv4/tcp_max_syn_backlog

To change:

        # echo NUMBER > /proc/sys/net/ipv4/tcp_max_syn_backlog

This is the case for any kernel setting that can be viewed/edited
via a /proc interface.

Note that the tcp_max_syn_backlog default on my machine is 1024,
so check before you reset this value. Of course, when a SYN flood
is launched against you, they'll fill up any queue size you have,
so just keep this tailored for standard usage.

> What is the theory of the syncookies?
> I read syncookies.c source. But i can't understand.

I suggest reading http://cr.yp.to/syncookies.html -- it describes
how the theory and implementations evolved very clearly.

--
Brian Hatch                  "You are going to
   Systems and                resist, I hope."
   Security Engineer
www.hackinglinuxexposed.com
Every message PGP signed

• application/pgp-signature attachment: stored

• Previous message: Kurt Seifried: "Re: IPChains Question (compatibility mode on kernel 2.4.x)"
• In reply to: SB CH: "how to check current backlog queue size(against synflood)"
• Next in thread: Seth Arnold: "Re: how to check current backlog queue size(against synflood)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]