SYN flood messages flooding my mailbox

> > implementation. This is a denial of service exposure that has gone
> > unaddressed in host implementations until recently. BSD now uses a
> > hash table on the TCP PCBs (protocol control blocks in the kernel) and
> > with change of removal of the check can support close to 64K-2000 PCBs
> Hmm. Interesting. I was told that NetBSD did not...
> Which version of BSD should I look at? A hash table on a static array of
> PCBs is a much better solution than letting a linked list get to 2000
> entries...

Oops. That's in a BSDI patch (PATCH K210-019) but I'm not sure about
FreeBSD or NetBSD distributions since I don't have one handy.

I'm not sure about prior releases, but FreeBSD 2.1.0 and above do hash
PCB's, with a default hash size of 128. The constant name is TCBHASHSIZE
in netinet/tcp_subr.c. To raise it, just add

options "TCBHASHSIZE=2048" # More capable TCB hash

  ... and if you feel the need, add

options "UDBHASHSIZE=1024" # More capable UDB hash

to your kern config file.


ps- (My 6 year old has a FreeBSD system, but its 2.0.5. Got to get
him to upgrade. :slight_smile:

Version 2.1.5-Release is now available. :wink: