[4969] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Dima Volodin)
Thu Oct 3 14:39:02 1996
To: pferguso@cisco.com (Paul Ferguson)
Date: Thu, 3 Oct 1996 14:33:47 -0400 (EDT)
Cc: dvv@sprint.net, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <2.2.32.19961003182104.006d0230@lint.cisco.com> from "Paul Ferguson" at Oct 3, 96 02:21:04 pm
From: dvv@sprint.net (Dima Volodin)
But of course. The problem is that SYN_RCVD is a transient state in the
TCP automaton, and it requires some resources allocation. The life
might have been a little bit different if servers weren't forced
to track this state. Something like a signed ticket accompanying the
second SYN and the following ACK.
Dima
Paul Ferguson writes:
>
> I agree completely, but neither one is a panacea.
>
> - paul
>
> At 08:40 AM 10/3/96 -0400, Dima Volodin wrote:
>
> >And if everyone doesn't make any attacks we won't have any problems
> >either. To rephrase - relying on ingress filtering is putting your
> >security in someone other's hands, doing host-based stuff is protecting
> >yourself with your own hands. To rephrase once again - doing ingress
> >filtering is "being conservative with what you produce", being able to
> >cope with SYN floods on the host level is "being liberal on what you
> >accept." We need both, and overemphasising one side of the solution will
> >do a lot of harm.
> >
> >
> >Dima
> >
>
>
>
