| From e3d9edbda74fc1ce53da3b0b46bcea5f31e6898f Mon Sep 17 00:00:00 2001 |
| From: Eric Dumazet <eric.dumazet@gmail.com> |
| Date: Fri, 2 Dec 2011 23:41:42 +0000 |
| Subject: [PATCH] tcp: drop SYN+FIN messages |
| |
| commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa upstream. |
| |
| Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his |
| linux machines to their limits. |
| |
| Dont call conn_request() if the TCP flags includes SYN flag |
| |
| Reported-by: Denys Fedoryshchenko <denys@visp.net.lb> |
| Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/ipv4/tcp_input.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
| index df5de7dd22d2..20af12ae55a7 100644 |
| --- a/net/ipv4/tcp_input.c |
| +++ b/net/ipv4/tcp_input.c |
| @@ -5737,6 +5737,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, |
| goto discard; |
| |
| if (th->syn) { |
| + if (th->fin) |
| + goto discard; |
| if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) |
| return 1; |
| |
| -- |
| 1.8.5.2 |
| |
