[5052] in North American Network Operators' Group
Re: TCP SYN attacks - a simple solution
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Sun Oct 6 21:28:00 1996
To: Tim Bass <bass@linux.silkroad.com>
cc: mo@uu.net (Mike O'Dell), bugtraq@netspace.org, nanog@merit.edu,
iepg@iepg.org
In-reply-to: Your message of "Sun, 06 Oct 1996 21:07:34 EDT."
<199610070107.VAA07691@linux.silkroad.com>
Reply-To: perry@piermont.com
Date: Sun, 06 Oct 1996 21:22:02 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Tim Bass writes:
> > best solution known so far is Random Drop of waiting connections
> ....
>
> Random Drop and Oldest drop do not work against high speed attacks.
In combination with Borman's minimization of the half open
datastructures (and hash tabling of those structures), they work
pretty well against fairly nasty attack.
> I thought it was agreed by all on this list last week
No it wasn't. There are, however, people that don't want to pollute
all these lists with this chatter.
> that Jeff's
> solution to delay data structure initialization until after the
> handshake is complete was more reliable than Random Drop and
> is proven by Jeff on BSD to work with high speed attacks.
The stated technique is flawed in several ways. Among others, it
breaks SYN filtering firewalls and breaks several important forms of
TCP option negotiation.
Perry
