SYN attack. how does it *really* work

Michael Dillon wrote:

If it only takes 8 SYN packets to lock up a socket for 75 seconds then
effective SYN flood attacks certainly *CAN* be launched from a dialup
connection. And if the definition of an effective attack allows for
intermittently shutting down a socket then effective attacks certainly
*CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.

  not 8, only 2 SYN packets into the same connection are needed
    (connection is a single src addr, src port, dest addr
     dest port 4-tuple)
  not 75 seconds, ~11 minutes.

  the essence of the bug is:

  one timer t_timer[TCPT_KEEP] used for 2 purposes
    --to hold the 75 second half-open timer
    --to hold the 2 hour keepalive timer
  the first SYN packet sets the timer to 75 seconds
  the second trips the bug and resets the timer to 2 hours

  so where does the 11 minutes come from?

  the server (target) send SYN-ACK packets, and retransmits
  the SYN-ACK until it either gets a response or gives up
  when TCP_MAXRXTSHIFT is exceeded. the latter take ~11 minutes.

  the fix is to qualify the settting of hte timer ala:

  if (TCPS_HAVEESTABLISHED(tp->t_state))
    tp->t_timer[TCPT_KEEP] = tcp_keepidle;

  and to set the timer a each location where the TCP/IP state
  machine transitions to TCPS_ESTABLISHED.

  each half-open socket consumes 264 bytes of memory (assuming
  perfect allocation :wink:

  all BSD derived TCP/IP implementations are/may be susceptible
  to this bug. that includes AIX, SVR4, and SunOS.

  stevens TCP/IP illustrated vol 3 p191 explains this much beter
  than i can