[4433] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Avi Freedman)
Mon Sep 16 22:12:15 1996
From: Avi Freedman <freedman@netaxs.com>
To: perry@piermont.com
Date: Mon, 16 Sep 1996 22:07:07 -0400 (EDT)
Cc: michael@memra.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199609170149.VAA24445@jekyll.piermont.com> from "Perry E. Metzger" at Sep 16, 96 09:49:03 pm
> Michael Dillon writes:
> > There are at least three things you can do to protect yourself from such
> > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> > of incomplete socket connections.
>
> Also, hashing the incoming PCBs is a big win.
Or not even creating PCBs and socket structures for the un-acknowledged
SYNs. Keep them in a data structure that stores the pertinent info and
reconstruct the packets when the ack comes in (when you create the mbufs/
PCB/socket).
> That breaks TCP, and often badly. In fact, the problem isn't so bad
> with a properly designed kernel. The initial experiments say that
> increasing the size of the incoming connection queue, hashing the
> queue, and adaptively lowering the timeout on infant connections
> should permit you to survive pretty intense attack without stopping
> service. This is probably the best approach for people to unilaterally
> take.
Here here.
> However, in general, it would be very nice for providers to start
> filtering their customers so that they could not send forged packets
> from network numbers they don't own.
Here here here.
> Perry
Avi
