New Denial of Service Attack on Panix

• Previous message (by thread): TCP SYN attacks
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> Vern Schriver at SGI has been running experiements and 
> the conclusions are pretty compelling.
> 

Yes, I have been looking for 'another approach' other than random
drop, just as an alternative.  But, since ICMP/IP seems to be
broken, using ICMP UNREACHABLE error messages does not work.

I agree that random drop is 'best current idea' (BCI :-)
However, I think it is prudent to look at other possible
approaches as well.  This is what I have been doing in the lab;
looking to see if any other practical alternatives exist
at the kernel implementation of TCP/IP.

My efforts in the lab do not imply that random drop 
is not a good idea.   On the contrary, the
more I look for an alternative solution, the better
random drop appears.  

However, it is interesting to see if another kernel
mod would work as well.........  I do worry about
the limitation of the queue drop algorithm based
on queue size and delay.  

FYI:  I implemented 'someones' version of random drop
on my servers (using their patch) and the servers
all crashed (when the attack was fast and hard on
the same subnet).  There is a lot of work to be
done.

Thanks,

Tim

• Previous message (by thread): TCP SYN attacks
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]