[4957] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Dima Volodin)
Thu Oct 3 11:35:14 1996
To: mo@UU.NET (Mike O'Dell)
Date: Thu, 3 Oct 1996 11:21:37 -0400 (EDT)
Cc: bass@cactus.silkroad.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <QQbjvn07875.199610031447@rodan.UU.NET> from "Mike O'Dell" at Oct 3, 96 10:47:10 am
From: dvv@sprint.net (Dima Volodin)
Now can I hold my breath waiting for vendors to incorporate this stuff
into their products? Has anybody heard anything from Sun on this
matter?
Dima
Mike O'Dell writes:
>
> Vern Schriver at SGI has been running experiements and
> the conclusions are pretty compelling.
>
> Have the listen queue do Random Drop of waiting connections.
> If the queue size is equal or greater than the attack rate
> times the expected roud-trip time, the probability of a
> real session connecting on the first SYN is very close to one.
>
> Note this performs much better than "oldest drop" (aka FIFO).
>
> In his tests, a machine sustained a 1200 SYN/second attack
> with no observable impact in system performance. With a
> queue size of 383, from a machine 250 msec round-trip thousands
> of connections completed with only a handful of initial SYN
> retransmissions (again, with a 1200 SYN/sec attack).
>
> Best way to make the bogons leave is to make it not fun anymore.
>
> This certainly seems to accomplish the goal.
>
> -mo
>
