[69841] in North American Network Operators' Group
Re: TCP RST attack (the cause of all that MD5-o-rama)
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Tue Apr 20 18:47:37 2004
In-Reply-To: <20040420214501.GF17921@vijaygill.com>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 21 Apr 2004 00:37:31 +0200
To: vijay gill <vgill@vijaygill.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 20-apr-04, at 23:45, vijay gill wrote:
> the correct workaround is the
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
> draft. MD5 is also the correct workaround. However, neither of the
> two protect against what is the most vulnerable thing in the internet
> infrastructure today - a large amount of PPS at the _router_ (with or
> without md5 or tcpsecure) will blow it out of the water.
So all we have to do is apply strong crypto a bit smarter, such that we
only burn CPU cycles for good packets rather than for all packets.
