[473] in cryptography@c2.net mail archive
Re: How bad is this?
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Apr 2 15:35:31 1997
To: colin@nyx.net (Colin Plumb)
cc: cryptography@c2.net
In-reply-to: Your message of "Wed, 02 Apr 1997 11:39:49 MST."
<9704021839.AA25769@nyx.net>
Reply-To: perry@piermont.com
Date: Wed, 02 Apr 1997 15:16:55 -0500
From: "Perry E. Metzger" <perry@piermont.com>
Colin Plumb writes:
> >> Actually, RFC1948 stuff has nothing to do with SYN Floods.
>
> >> Its a protection against sequence number attacks, which permit address
> >> spoofing. It is not a denial of service problem at all!
>
> Actually, excuse me. You're right, and I was getting too focused
> on the *other* application of random functions. This is an important
> one and shouldn't be forgotten in the development stuff, but...
>
> The actual things I'm playing with are Dan Bernstein's SYN cookies and
> RST cookies, which do some clever things to avoid allocating any
> local socket resources until the remote side has responded to
> the ACK to their SYN.
My opinion is that Dan's ideas on this subject are not something
people should actually implement.
Some pretty clever hacks have been added to several BSD variants
recently that dramatically reduce the overhead associated with half
open connections, and I suspect that these (and agressive drops of the
connections at the tail of the queue) are likely to be the defenses of
choice for the forseeable future.
Perry
