Re: New form of packet attack named Stream

["Damon M. Conway" <damon () chiba 3jane net>]

 Pat Myrto wrote:
> Alex P. Rudnev has declared that:
> > > > e-mail me asking for the code.
> > >
> > > Actually, you provided enough details, so any unix guy who knows
> > > his sockets can write the program in fifteen minutes.
> > >
> > > This type of attack was known for a long time (and there are even
> > > nastier variations using TCP header bits and fragments), and, unfortunately,
> > > there's no good defense against it.
> > There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers,
> > sockets, etc) catched by any SINGLE origin (IP address, program, service).
> >
> > Such approach broke just any except a few DoS attacks - for example, if you try
> > to exhaust memory attaking single service, then (1) service can't catch all
> > memory because it's the SINGLE origin, and (2) one SRC address can't catch many
> > resources because it's SINGLE origin, and (3) you can't generate too many
> > different addresses in case of reverse-filtering.
>
> Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc)
> to impose such limits (configurable by admin, preferably)?  Especially
> in the CPU usage and memory areas (perhaps sockets/handles, too).

from freebsd-current yesterday:

Subject: half-fix for stream.c
http://www.freebsd.org/~alfred/tcp_fix.diff

damon