TCP SYN attacks - a simple solution

• Previous message (by thread): TCP SYN attacks - a simple solution
• Next message (by thread): TCP SYN attacks - a simple solution
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

best solution known so far is Random Drop of waiting connections
once queue fills to a limit at least as large as design RTT*Attack-Rate
(queues in the 350-400 range appear to be quite sufficient for
RTTs in the 250msec range with 1000-packets/second attacks).

Some also argue that somewhat more aggressive aging with Oldest Drop
(aka FIFO) also helps while the queue fills to the point of
instigating Random Drop.  One can mutter about where transition
between Oldest and Random should occur.  I'm willing to believe hybrid
strategy could be better at possible cost of more complexity.
(although more agressive Oldest Drop is probably just a timer tweek.)

Note that with Random Drop and 350-400 max queue size legit connections
almost always complete on the first SYN with no retransmission.

	cheers,
	-mo

• Previous message (by thread): TCP SYN attacks - a simple solution
• Next message (by thread): TCP SYN attacks - a simple solution
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]