Permalink
Browse files

tcp: drop SYN+FIN messages

Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
linux machines to their limits.

Dont call conn_request() if the TCP flags includes SYN flag

Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information...
1 parent 78a8a36 commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Eric Dumazet committed with davem330 Dec 2, 2011
Showing with 2 additions and 0 deletions.
  1. +2 −0 net/ipv4/tcp_input.c
View
@@ -5811,6 +5811,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
+ if (th->fin)
+ goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;

0 comments on commit fdf5af0

Please sign in to comment.