Michael Dillon wrote:
If it only takes 8 SYN packets to lock up a socket for 75 seconds then
effective SYN flood attacks certainly *CAN* be launched from a dialup
connection. And if the definition of an effective attack allows for
intermittently shutting down a socket then effective attacks certainly
*CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.
not 8, only 2 SYN packets into the same connection are needed
(connection is a single src addr, src port, dest addr
dest port 4-tuple)
not 75 seconds, ~11 minutes.
the essence of the bug is:
one timer t_timer[TCPT_KEEP] used for 2 purposes
--to hold the 75 second half-open timer
--to hold the 2 hour keepalive timer
the first SYN packet sets the timer to 75 seconds
the second trips the bug and resets the timer to 2 hours
so where does the 11 minutes come from?
the server (target) send SYN-ACK packets, and retransmits
the SYN-ACK until it either gets a response or gives up
when TCP_MAXRXTSHIFT is exceeded. the latter take ~11 minutes.
the fix is to qualify the settting of hte timer ala:
if (TCPS_HAVEESTABLISHED(tp->t_state))
tp->t_timer[TCPT_KEEP] = tcp_keepidle;
and to set the timer a each location where the TCP/IP state
machine transitions to TCPS_ESTABLISHED.
each half-open socket consumes 264 bytes of memory (assuming
perfect allocation 
all BSD derived TCP/IP implementations are/may be susceptible
to this bug. that includes AIX, SVR4, and SunOS.
stevens TCP/IP illustrated vol 3 p191 explains this much beter
than i can
jmb