Successful syn flooding DoS

Reply: Michael Tuexen : "Re: Successful syn flooding DoS"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Peter 'PMc' Much <pmc_at_citylink.dinoex.sub.org>
Date: Thu, 04 Sep 2025 22:26:08 UTC

Folks,

 today I fell victim to a syn flooding party; one of my machines
went offline and needed a full reset to recover.

Why:
If somebody sends me a SYN (might be spoofed), I reply with SYN-ACK.
If there is a portforwarder in the path, then libalias will
consider this state of affairs a fully established connection, and
preserve the record, for... a day.

If somebody send me 100 SYN packets per second, then after a few
hour the libalias will have accumulated millions of these records.
They go into a tailq. And at that size, the network receiving
thread searching through that will run at 100% CPU.

That receiving thread is a network interrupt, prio 8, so if the
machine is a single vcore KVM, it won't do much else anymore.

As a quick measure I have now tried to change libalias to require a
bit more data before making the timeout that long. But in the
meantime the idiots have stopped their nonsense, so there is no
test.

Comments, anybody?

cheerio,
PMc