Re: SYN flood attack in progress (pre2.0.30-2)

zero cool (
Wed, 9 Apr 1997 08:47:54 -0700 (PDT)

On Wed, 9 Apr 1997 wrote:
> This message means that your tcp backlog for some port got full
> and another connection came in. Note that linux only logs at most
> one of these a minute to avoid filling your system logs totally with
> the warning. Check the time stamps, if they are about a minute apart
> they you may be getting flooding for short periods.

Actually, while dealing with an ongoing SYN attack, I have discovered
several items in the code that need to be corrected. This message is
actually logged once per second as the check is for HZ, not (HZ*60)

Search for the comment in the following file and correct the line to the
below, otherwise, your logs will be quite filled during an attack.


/* Only let this warning get printed once a minute. */
if (jiffies - warning_time > HZ*60) {
warning_time = jiffies;
printk(KERN_INFO "Warning: possible SYN flooding. Sending cookies.\n");

To further this discussion, I have recompiled my kernel with the patches
we have discussed and turned on profiling. I am a neophyte at this, so
I'll need your help properly representing the data. If you can please
direct me to useful tools for dealing with the kernel profiling, I would
appreciate it. I'm getting the profiling package on sunsite, are there
others that you guys prefer?

To any others that are developing SYN code, my host has been under a SYN
attack for the last 6 days. Linux is proving to stand up remarkably well
and this is an excellent opportunity to 'rad harden' the kernel.


[reply to: without the nospam]
*** *** Flames will go to /dev/null
** WARNING ** SPAM mail will be returned to you at a
*** *** minimum rate of 50,000 copies per email