Re: New Denial of Service Attack on Panix

[Avi Freedman <freedman () netaxs com>]

> Michael Dillon writes:
> > There are at least three things you can do to protect yourself from such
> > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> > of incomplete socket connections.
>
> Also, hashing the incoming PCBs is a big win.

Or not even creating PCBs and socket structures for the un-acknowledged
SYNs.  Keep them in a data structure that stores the pertinent info and
reconstruct the packets when the ack comes in (when you create the mbufs/
PCB/socket).

> That breaks TCP, and often badly. In fact, the problem isn't so bad
> with a properly designed kernel. The initial experiments say that
> increasing the size of the incoming connection queue, hashing the
> queue, and adaptively lowering the timeout on infant connections
> should permit you to survive pretty intense attack without stopping
> service. This is probably the best approach for people to unilaterally
> take.

Here here.

> However, in general, it would be very nice for providers to start
> filtering their customers so that they could not send forged packets
> from network numbers they don't own.

Here here here.

> Perry

Avi

- - - - - - - - - - - - - - - - -