[4973] in North American Network Operators' Group
Re: TCP SYN attacks
daemon@ATHENA.MIT.EDU (Avi Freedman)
Thu Oct 3 15:48:26 1996
From: Avi Freedman <freedman@netaxs.com>
To: zab@grumblesmurf.net (Zach)
Date: Thu, 3 Oct 1996 15:40:19 -0400 (EDT)
Cc: rja@cisco.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <Pine.LNX.3.92.961003121732.153h-100000@brownz.rhn.orst.edu> from "Zach" at Oct 3, 96 12:20:15 pm
> On Thu, 3 Oct 1996, Ran Atkinson wrote:
>
> > >Dima Volodin writes:
> > >> Now can I hold my breath waiting for vendors to incorporate this stuff
> > >> into their products?
> >
> > At least BSDI, Sun, SGI, and HP are working on TCP SYN hardening.
> > (yes, cisco is also on top of things :-).
> >
> > I have no data on what might be up at other vendors.
>
> the linux ip folk have released at least one patch (available near
> http://www.uk.linux.org/NetNews.html) that holds off the problem for a
> bit. it has a larger infant connection queue and drops some off the end
> if its under attack. There has also been some talk of doing much more
> 'sneaky' stuff. i.e. encoding cookies in rsts instead of sending
> synacks..
Yes. This is the approach I like.
Store the mss info either in toto or in a table of "mss values I have
seen" as some # of bits of the iss and the rest is a one-way hard-to-guess
hash of some sort of the rest of the data (a rotating secret #, src/dest ips
and ports etc...);
> zach
Avi
