TCP SYN attacks
Avi Freedman
freedman at netaxs.com
Fri Oct 4 14:20:03 UTC 1996
> Now what is 100,000 entries? With the timeout aggressively set at 10
> secs (heck, with 10 secs I sometimes cannot even get all the images on
> home.netscape.com) it's only 1000 SYNs/sec. How many hosts you want to
> protect with such a firewall?
>
> Dima
A timeout of 10 seconds is on two packets going back and forth.
Many have said that the timeout must be much higher. I just don't
see it. A SYN arrives. A SYN-ACK is sent out. A 10 second timer
starts that is counted down to 0. An ACK of that SYN-ACK arrives
back within the 10 seconds and we set up the connection. If the
two packets can't each go one way in 10 seconds, the SYN will be
retransmitted.
The timeout isn't on open connections, just on embryonic ones.
So let's say 1,000,000 entries: But even 100k entries at 10 seconds
allows for 10k packets/sec, which is 2 * what you can receive in a maxed
out t1.
My preferred approach is to not even have to store state on any
of the embryonic connections. And to implement the fix on all
of my hosts. And customers can implement it in a firewall, if
they choose (and have boxes which can't be fixed: Win95, NT, Macs, ...).
Avi
> Avi Freedman writes:
> >
> > If someone can hose a firewall with an adaptive SYN timeout and
> > a 100,000 or more-entry state storage structure for pending SYNs
> > (not that any particular implementation does this that I know of
> > or don't know of) then I *WANT* them to attack me.
> >
> > Something that un-subtle should be eeasy to track back to the source.
> >
> > > Tom E. Perrine (tep at SDSC.EDU) | San Diego Supercomputer Center
> > > http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000
> > > "Ille Albus Canne Vinco Homines" - You Know Who
> >
> > Avi
More information about the NANOG
mailing list