nanog mailing list archives
Re: New Denial of Service Attack on Panix
From: Avi Freedman <freedman () netaxs com>
Date: Mon, 16 Sep 1996 22:07:07 -0400 (EDT)
Michael Dillon writes:There are at least three things you can do to protect yourself from such attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers of incomplete socket connections.Also, hashing the incoming PCBs is a big win.
Or not even creating PCBs and socket structures for the un-acknowledged SYNs. Keep them in a data structure that stores the pertinent info and reconstruct the packets when the ack comes in (when you create the mbufs/ PCB/socket).
That breaks TCP, and often badly. In fact, the problem isn't so bad with a properly designed kernel. The initial experiments say that increasing the size of the incoming connection queue, hashing the queue, and adaptively lowering the timeout on infant connections should permit you to survive pretty intense attack without stopping service. This is probably the best approach for people to unilaterally take.
Here here.
However, in general, it would be very nice for providers to start filtering their customers so that they could not send forged packets from network numbers they don't own.
Here here here.
Perry
Avi - - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack on Panix, (continued)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 16)
- Re: New Denial of Service Attack on Panix Craig A. Huegen (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Nathan Stratton (Sep 16)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 16)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 16)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 16)
- Re: New Denial of Service Attack on Panix George Herbert (Sep 16)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Craig A. Huegen (Sep 16)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 16)
- Re: New Denial of Service Attack on Panix Jon Green (Sep 16)
- Re: New Denial of Service Attack on Panix George Herbert (Sep 16)
- Re: New Denial of Service Attack on Panix Dick St.Peters (Sep 17)
- Re: New Denial of Service Attack on Panix George Herbert (Sep 17)
- Re: New Denial of Service Attack on Panix Dick St.Peters (Sep 17)