>[Denial of service possible by remote host putting multiple connections >to a port into the SYN_RCVD state, thereby precluding further >(legitimate) connection attempts.] This problem is partly in the way how the interface on top of TCP/IP has been defined. Had accept been defined in such a way that a connection request could be accepted and then rejected, there wuld not have been a problem. However, accept() will not return until the three way handshake is complete and if the source dosn't cooperate or if teh server is missing the return route, the kernel queue will fill up and after the maximum is reached no further connections will succeed. This backlog parameter also severely limits the number of connections/second an http server can accept. >It's even worse. The same thing was done deliberately by Kevin Mitnick >during his packet-spoofing attack on Shimomura's machines in San Diego. >Mitnick put lots of connections into the SYN_RCVD state on machine A, >thereby "jamming" machine A and preventing it from interfering >(by sending RST packets) with his attack on machine B, impersonating >machine A. It doesn't need to be that way. I was told that Solaris 2.x machines will send RSTs for non-existing connections, even if the incoming connection queue is full. And that is not as straneg as it appears: you're only interested in queueing naked SYNs, all unexpected packets can still be rejected with a RST. Casper