From: Armistead, Jason <>
Date: Wed, 10 May 2000 23:43:16 -0400


It doesn't matter about ACL rules. The SYN attack takes place BEFORE the
TCP/IP connection is actually established and the connection gets handed
over to Squid.

i.e. Proxy TCP/IP stack gets a SYN, sends an ACK to the client, waits for
another ACK back from the client and then the connection is established, at
which time the connection is passed to Squid for handling.

If there is no ACK back from the client, the proxy will retry sending its
ACK several times (with progressively longer timeouts each time to allow for
possible slow links) before failing the connection, but in this time it is
wasting a connection and tying up all the related network resources (mainly
RAM) on the proxy. This is what a SYN flood denial of service attack
relies on, tying up TCP/IP resources so no-one else can access the server.

Only after establishment can Squid do anything about the connection with
ACLs, and even then I think it only issues the DENY when a URL is actually
requested (I may be wrong, but I had a very quick look at the source code
for where aclCheck is called from and it looked this way to me ...).


-----Original Message-----
From: S M A []
Sent: Thursday, 11 May 2000 13:17
To: Samir;
Subject: Re: WARNING


protect Your proxy from all the World attacks....

I think you have allow all world to use your proxy.

Make acl rule to deny all as immediate as possible.


--- Samir <> wrote:
> WARNING: High TCP connect timeout rate! System (p
> ort 8080) may be under a SYN flood attack!
> can any one explain ????
> thanx for reply in advance :)

Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
Received on Wed May 10 2000 - 21:46:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:27 MST