nanog mailing list archives
Re: New Denial of Service Attack ...
From: postel () ISI EDU
Date: Tue, 24 Sep 1996 22:52:46 -0700
----- Begin Included Message ----- Subject: Re: FW: Latest attacks.... Date: Thu, 19 Sep 1996 08:39:02 +0100 From: Jon Crowcroft <J.Crowcroft () cs ucl ac uk> problem solved: this just in on your trusty end2end research group's list (sorry, i know some of you may already read it) this guy is usually technically excellent, so i think we can trust that this solution is valid, will propagate, and is deployable for server sites that worry (you only need kernel reconfig rights for unix to add this - NT and MAC servers may have a tad more of a problem:-). cheers jon ------- Forwarded Message Date: Wed, 18 Sep 1996 14:32:14 -0600 From: vjs () mica denver sgi com (Vernon Schryver) Subject: SYN bombing defense As reported here, in article <vxjiv9hkmcb.fsf_-_ () dominator eecs harvard edu> in comp.protocols.tcp-ip, Robert Morris <rtm () dominator eecs harvard edu> wrote:
Perhaps TCP's listen queue should use random early drop (RED), a technique used by routers to prevent any one source from monopolizing a queue. See http://www-nrg.ee.lbl.gov/floyd/abstracts.html#FJ93 or rfc1254. ...
I've just hacked IRIX 6.3 to do random-drop when sonewconn() in tcp_input.c fails. It works great! An IP22 receiving 1200 bogus SYN's per second directed to port 23 continues to answer requests for new telnet as if nothing is happening. I don't think that random <<Early>> drop is necessary or desirable. It is not as if we're trying to drop packets early to trigger slow start in the sources. As I figure it, as long as the length of the queue is longer than RTT of the real telnet client times the rate of bogus SYNs, the real clients have an excellent probability of getting through on their first attempt. For example, at 1200 bogus SYNs/sec and the IRIX 6.3 telnet listen queue of 383, there should be no trouble with peers with RTT up to about 300 milliseconds. I've tested with a telnet client 250 milliseconds away while simultaneously bombing the machine from nearby with ~1200 SYNs/sec, and see no telnet TCP retransmissions. Vernon Schryver, vjs () sgi com ------- End of Forwarded Message ----- End Included Message ----- - - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack ... postel (Sep 24)
- Re: New Denial of Service Attack ... Christopher Blizzard (Sep 25)
- Re: New Denial of Service Attack ... Tim Bass (Sep 25)
- Re: New Denial of Service Attack ... Christopher Blizzard (Sep 25)
- Re: New Denial of Service Attack ... Tim Bass (Sep 25)
- <Possible follow-ups>
- Re: New Denial of Service Attack ... Ran Atkinson (Sep 25)
- Re: New Denial of Service Attack ... Leonid Egoshin (Sep 25)
- Re: New Denial of Service Attack ... Barney Wolff (Sep 25)
- Re: New Denial of Service Attack ... Vernon Schryver (Sep 25)
- Re: New Denial of Service Attack ... Barney Wolff (Sep 25)
- Re: New Denial of Service Attack ... Vernon Schryver (Sep 25)
- Re: New Denial of Service Attack ... Christopher Blizzard (Sep 25)