[4955] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: New Denial of Service Attack on Panix

daemon@ATHENA.MIT.EDU (Mike O'Dell)
Thu Oct 3 11:02:20 1996

To: Tim Bass <bass@cactus.silkroad.com>
cc: nanog@merit.edu, iepg@iepg.org
In-reply-to: Your message of "Thu, 03 Oct 1996 00:53:59 EDT."
             <199610030453.AAA00268@cactus.silkroad.com> 
Date: Thu, 03 Oct 1996 10:47:10 -0400
From: "Mike O'Dell" <mo@UU.NET>

Vern Schriver at SGI has been running experiements and 
the conclusions are pretty compelling.

Have the listen queue do Random Drop of waiting connections.
If the queue size is equal or greater than the attack rate
times the expected roud-trip time, the probability of a
real session connecting on the first SYN is very close to one.

Note this performs much better than "oldest drop" (aka FIFO).

In his tests, a machine sustained a 1200 SYN/second attack
with no observable impact in system performance.  With a 
queue size of 383, from a machine 250 msec round-trip thousands
of connections completed with only a handful of initial SYN
retransmissions (again, with a 1200 SYN/sec attack).

Best way to make the bogons leave is to make it not fun anymore.

This certainly seems to accomplish the goal.

	-mo

home help back first fref pref prev next nref lref last post