Silby's take one on increasing FreeBSD's resistance to SYN floods:

One way we can reduce the amount of traffic we send in response to a SYN flood is to eliminate the RST we send when removing a connection from the listen queue. Since we are being flooded, we can assume that the majority of connections in the queue are bogus. Our RST is unwanted by these hosts, just as our SYN-ACK was. Genuine connection attempts will result in hosts responding to our SYN-ACK with an ACK packet. We will automatically return a RST response to their ACK when it gets to us if the connection has been dropped, so the early RST doesn't serve the genuine class of connections much. In summary, we can reduce the number of packets we send by a factor of two without any loss in functionality by ensuring that RST packets are not sent when dropping a connection from the listen queue. Submitted by: Mike Silbersack <silby@silby.com> Reviewed by: jesper MFC after: 2 weeks
2001-06-06 19:41:51 +00:00 · 2001-06-06 19:41:51 +00:00 · 65f28919b3
commit 65f28919b3
parent db97c662cf
2 changed files with 28 additions and 2 deletions
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@ -685,13 +685,26 @@ tcp_input(m, off0, proto)
 #endif
 			so2 = sonewconn(so, 0);
 			if (so2 == 0) {
+				/*
+				 * If we were unable to create a new socket
+				 * for this SYN, we call sodropablereq to
+				 * see if there are any other sockets we
+				 * can kick out of the listen queue.  If
+				 * so, we'll silently drop the socket
+				 * sodropablereq told us to drop and
+				 * create a new one.
+				 *
+				 * If sodropablereq returns 0, we'll
+				 * simply drop the incoming SYN, as we
+				 * can not allocate a socket for it.
+				 */
 				tcpstat.tcps_listendrop++;
 				so2 = sodropablereq(so);
 				if (so2) {
 					if (tcp_lq_overflow)
 						sototcpcb(so2)->t_flags |= 
 						    TF_LQ_OVERFLOW;
-					tcp_drop(sototcpcb(so2), ETIMEDOUT);
+					tcp_close(sototcpcb(so2));
 					so2 = sonewconn(so, 0);
 				}
 				if (!so2)
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@ -685,13 +685,26 @@ tcp_input(m, off0, proto)
 #endif
 			so2 = sonewconn(so, 0);
 			if (so2 == 0) {
+				/*
+				 * If we were unable to create a new socket
+				 * for this SYN, we call sodropablereq to
+				 * see if there are any other sockets we
+				 * can kick out of the listen queue.  If
+				 * so, we'll silently drop the socket
+				 * sodropablereq told us to drop and
+				 * create a new one.
+				 *
+				 * If sodropablereq returns 0, we'll
+				 * simply drop the incoming SYN, as we
+				 * can not allocate a socket for it.
+				 */
 				tcpstat.tcps_listendrop++;
 				so2 = sodropablereq(so);
 				if (so2) {
 					if (tcp_lq_overflow)
 						sototcpcb(so2)->t_flags |= 
 						    TF_LQ_OVERFLOW;
-					tcp_drop(sototcpcb(so2), ETIMEDOUT);
+					tcp_close(sototcpcb(so2));
 					so2 = sonewconn(so, 0);
 				}
 				if (!so2)