[12943] in North American Network Operators' Group
Re: Syn flooding attacks
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Oct 20 16:45:29 1997
To: Joe Shaw <jshaw@insync.net>
cc: Vern Paxson <vern@ee.lbl.gov>, Phil Howard <phil@charon.milepost.com>,
Paulo Maffei <paulo@br.global-one.net>, nanog@merit.edu
In-reply-to: Your message of "Mon, 20 Oct 1997 15:09:24 CDT."
<Pine.GSO.3.96.971020150121.15529B-100000@vellocet.insync.net>
Reply-To: perry@piermont.com
Date: Mon, 20 Oct 1997 16:34:35 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Joe Shaw writes:
> Don't most SYN flood programs just send a constant stream of SYNs to the
> specified machine/port? The one I have for testing does that. So,
> sequential requests would get around this, no matter how many SYNs you
> were looking for. I think the best protection against SYN flooding is in
> the Kernel level of the OS. If you see a massive amount of SYN request
> coming in on one port from one machine or many, then you start applying
> cookies for those connections and decrease the hold time before you start
> dropping the connections due to un-answered SYN-ACKs. Don't most
> operating systems now support this feature (Win95 excluded)?
The whole "cookie" idea pretty much sucks, IMHO. It doesn't work
particularly well.
On the other hand, compressing your TCP state for half open
connections is pretty cheap, and has the nice side effect of making
your machine a much more efficient high volume server.
Perry
