Check out the new USENIX Web site. next up previous
Next: Motivation Up: Resisting SYN flood DoS Previous: Defenses

Experimental Setup

The code base used was FreeBSD 4.4-stable, from sources as of November 14th, 2001. The target machine used for testing was an Intel PIII/850, with 320MB of memory, and was equipped with an onboard Intel EtherExpress 100Mb/s chip, an Intel 1000/Pro Gigabit adapter and a NetGear GA620 Gigabit adapter. The NetGear adapter was attached directly to a second machine that acted as a packet source, while the Intel adapter was directly attached to a third machine that acted as a packet sink. A fourth machine was connected via the 100Mb port and was used for taking timing measurements of real connection requests to the test machine.

A default route was installed on the test machine so that all incoming traffic from the source was sent out to the sink via the other gigabit link. The kern.ipc.somaxconn parameter, which controls the maximum listen backlog, was raised to 1024, while net.inet.tcp.msl was turned down to 30 milliseconds in order not to run out of TCP ports. Mbufs and mbuf clusters were set to 65536 and 16384 respectively, and the system was monitored to insure that the mbuf limit was not reached.

When SYN flooding the box, the source was configured to generate SYN packets at a rate of 15,000 packets per second. This rate was chosen as a load that the box could reasonably handle without becoming susceptible to receiver livelock. Under this load, the box was handling upwards of 30,000 packets per second, incoming and outgoing. The source addresses of the SYN packets were randomly chosen from the 10.x.x.x subnet, and the source port numbers and ISS were also randomly generated.

A small program that accepted and closed incoming connections was run on the test machine, in order to provide a listen socket for incoming packets. Timing measurements were taken on the control machine that was attached to the 100Mb port, which involved taking 2000 samples of the amount of time required for a connect() call to complete to the target machine.


next up previous
Next: Motivation Up: Resisting SYN flood DoS Previous: Defenses
Jonathan Lemon 2001-12-04