[4676] in North American Network Operators' Group
Re: New Denial of Service Attack ...
daemon@ATHENA.MIT.EDU (Christopher Blizzard)
Wed Sep 25 09:39:00 1996
To: postel@isi.edu
cc: nanog@merit.edu, iepg@iepg.org
In-reply-to: Your message of "Tue, 24 Sep 1996 22:52:46 PDT."
<199609250552.AA19213@zen.isi.edu>
Date: Wed, 25 Sep 1996 09:25:37 -0400
From: Christopher Blizzard <blizzard@odin.nyser.net>
In message <199609250552.AA19213@zen.isi.edu>, postel@ISI.EDU writes:
:----- Begin Included Message -----
:
:Subject: Re: FW: Latest attacks....
:Date: Thu, 19 Sep 1996 08:39:02 +0100
:From: Jon Crowcroft <J.Crowcroft@cs.ucl.ac.uk>
:
:
:Date: Wed, 18 Sep 1996 14:32:14 -0600
:From: vjs@mica.denver.sgi.com (Vernon Schryver)
:Subject: SYN bombing defense
:
:As reported here, in article <vxjiv9hkmcb.fsf_-_@dominator.eecs.harvard.edu>
:in comp.protocols.tcp-ip, Robert Morris <rtm@dominator.eecs.harvard.edu> wrot
:e:
:
:>Perhaps TCP's listen queue should use random early drop (RED), a
:>technique used by routers to prevent any one source from monopolizing
:>a queue. See http://www-nrg.ee.lbl.gov/floyd/abstracts.html#FJ93 or
:>rfc1254.
:> ...
:
:I've just hacked IRIX 6.3 to do random-drop when sonewconn() in
:tcp_input.c fails. It works great! An IP22 receiving 1200 bogus
:SYN's per second directed to port 23 continues to answer requests
:for new telnet as if nothing is happening.
:
Alan Cox just released a patch vs Linux 2.0.21 that does this. It works
quite well. As best I can tell from the patch and the mail that preceded
it it attempts to maintain about 30% free in the receive queue. I've
been running it for a couple of days and it does quite well defending
against these attacks. I've stuck it on my web page.
http://odin.nyser.net/~blizzard/linux/
--Chris
:
:Vernon Schryver, vjs@sgi.com
:
:------- End of Forwarded Message
:
:----- End Included Message -----
-------------------------------------------------------------------
Christopher Blizzard | "The truth knocks on the door and you say
blizzard@nysernet.org | 'Go away. I'm looking for the truth,' and
NYSERNet, Inc. | so it goes away." --Robert Pirsig
-------------------------------------------------------------------
