} This variable is used to tell the operating system how many incoming smtp connection
} requests to accept on exim's behalf while it (exim) might be off doing other stuff
} like forking off child processes or something (see listen(2) on most OS's). We upped
} this from the default of 5 to 50 with no apparent ill-effects - yet - on a Sun Ultra
} 2, in order to overcome problems relating to timed-out smtp connections. What was
} happening is that we were being hit with multiple incoming connections in a single
} exim select() loop, the listen queue was being overrun as a result and we saw up to 2 } minutes (including TCP backoff kicking in) before some connections succeeded.
Yup.
} I suppose the potential problem with having it too big is that the OS might be
} queueing up more work than the application can handle, in which case it's probably
} time to get some new hardware.
Yes, however with careful tuning you should be OK - moving to queuing mail
if loads are high etc.
} I don't think that this is a defence against SYN attacks; you'll still have lots of
} unfinished connections lurking about in kernel space using up resource - the number
} of entries will just get bigger <question-mark>.
Its *part* of a solution - I didn't say and certainly didn't mean it is a
solution. Linux boxes can increase the listen value up to around 512, and
add a kernel patch from Alan Cox, and they will then happily sustain
normal operation with a SYN flood that saturates a 64K link (assuming they
have other bandwidth).
Hardening against these attacks normally means increasing the kernel
structures holding half open connections, tuning the timers and using
applications which can handle larger listen queues.
Making a box proof against SYN attacks additionally requires that the
kernel can algorithmically drop half open connections when the queue gets
full.
There may be other solutions - this is the one I have seen used in a
couple of places.
People initiating SYN floods come slightly lower down the life form scale
than mail bombers/spammers. Oddly both come below estate agents and
solicitors.
Nigel.
--
[ Nigel.Metheringham@??? - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House Tel : +44 113 251 6012 ]
[ Melbourne Street, Leeds LS2 7PS UK. Fax : +44 113 2345656 ]
[[[ Welcome to Grace, arrived 01:37 BST, 18 Sept 1996, 5lb 15oz ]]]