How to refuse connection request?
Andreas Born
I use non-blocking sockets and need to refuse connection requests in
special cases. Unfortunately, there is no refuse(socket).
If I did nothing after receiving the FD_ACCEPT msg, the request seems
not to be removed from the queue. (backlog=5)
Are the only possibilities to refuse a connection attempt in closing the
listening socket, or accepting the connection and closing it immediately
thereafter? I think it's not very secure this way. It should be
possible somehow to send a RST or FIN packet, or is the windows tcp/ip
stack that inflexible?
would appreciate any help!
regards,
Andy
Alex Fraser
news:ahc6fv$s0fus$2...@ID-82403.news.dfncis.de...
> Hi,
>
> I use non-blocking sockets and need to refuse connection requests in
> special cases. Unfortunately, there is no refuse(socket).
>
> If I did nothing after receiving the FD_ACCEPT msg, the request seems
> not to be removed from the queue. (backlog=5)
Correct. Often, of course, this is desirable, although vulnerable to DoS.
> Are the only possibilities to refuse a connection attempt in closing the
> listening socket, or accepting the connection and closing it immediately
> thereafter? I think it's not very secure this way. It should be
> possible somehow to send a RST or FIN packet, or is the windows tcp/ip
> stack that inflexible?
Closing the socket immediately after you get it from accept() will send a
FIN.
I've never tried it, but look at setsockopt(SO_CONDITIONAL_ACCEPT) and
WSAAccept(). You get the option of refusing the connection (sending a RST)
or accepting it. AFAIK, this requires Winsock 2.
Alex
Andreas Born
>> I use non-blocking sockets and need to refuse connection requests in
>> special cases. Unfortunately, there is no refuse(socket).
>> If I did nothing after receiving the FD_ACCEPT msg, the request seems
>> not to be removed from the queue. (backlog=5)
> Correct. Often, of course, this is desirable, although vulnerable to
> DoS.
I decided to accept() the connection, because i will know the peer's ip
and port address in this case. Syn-Flood detection may be possible this
way, and I can close the socket immediately in a hard manner (SO-LINGER,
interval=0), based on blocked IP addresses. This way I could also limit
the maximum number of connections per client per second.
Is it a good solution, or do you know any problems with that?
Should I call shutdown() before closesocket(), or can I rely on
closesocket() in this case?
>> [...]
> Closing the socket immediately after you get it from accept() will
> send a FIN.
A FIN might be better than a RST anyway.
And I read that WSAAccept would actually accept a connection before
starting the callback-function, so I see no advantages compared to
accept() -> closesocket(). Additionally, I'm afraid of getting problems
with my multithreaded server.
> I've never tried it, but look at setsockopt(SO_CONDITIONAL_ACCEPT) and
> WSAAccept(). You get the option of refusing the connection (sending a
> RST) or accepting it. AFAIK, this requires Winsock 2.
Thanks for your reply,
Andreas
Alex Fraser
> And I read that WSAAccept would actually accept a connection before
> starting the callback-function, so I see no advantages compared to
> accept() -> closesocket(). Additionally, I'm afraid of getting problems
> with my multithreaded server.
As I said in my previous post, using SO_CONDITIONAL_ACCEPT should allow you
to reject the attempt - ie *before* it is accepted by the stack, and
contrary to the "normal" behaviour.
Alex
Joao Paulo
You could try this way...
backlog=6
then,
if the request you receive is the 6th, this means that actually have 5
sockets opened. So you send a msg saying "try later. Server full... already
5 connections...." and then you close this socket...
something like this...
close( sock[5] )
sock[5]= - 1; /* this means that this position is free... */
Hope this helps...
Regards,
Joao Paulo
"Andreas Born" <Andrea...@gmx.de> wrote in message
news:ahc6fv$s0fus$2...@ID-82403.news.dfncis.de...
Andreas Born
>> And I read that WSAAccept would actually accept a connection before
>> starting the callback-function, so I see no advantages compared to
>> accept() -> closesocket(). Additionally, I'm afraid of getting
problems
>> with my multithreaded server.
> As I said in my previous post, using SO_CONDITIONAL_ACCEPT should
allow you
> to reject the attempt - ie *before* it is accepted by the stack, and
> contrary to the "normal" behaviour.
Sorry, you're right, of course. (My MSDN Version doesn't tell anything
about SO_CONDITIONAL_ACCEPT, only about WSAAccept). I will try it this
way. Thank you very much for this information :-).
Andy
Andreas Born
> You could try this way...
>
> backlog=6
>
> then,
>
> if the request you receive is the 6th, this means that actually have 5
> sockets opened. So you send a msg saying "try later. Server full...
> already
> 5 connections...." and then you close this socket...
> something like this...
>
> close( sock[5] )
> sock[5]= - 1; /* this means that this position is free... */
>
>
> Hope this helps...
Thanks for your answer, but this is not the problem. For security
considerations I need to be able to ignore/reject connection attempts
from special IP addresses...
Andy :-)
Alun Jones
>Sorry, you're right, of course. (My MSDN Version doesn't tell anything
>about SO_CONDITIONAL_ACCEPT, only about WSAAccept). I will try it this
>way. Thank you very much for this information :-).
It should be listed under setsockopt(). Actually, it really _ought_ to be
listed in with WSAAccept as well, because WSAAccept is essentially zero use
without it, but then Microsoft don't ask me these questions when they're
drafting the documentation. :-)
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email al...@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.