New Denial of Service Attack on Panix
Avi Freedman
freedman at netaxs.com
Tue Sep 17 02:07:07 UTC 1996
> Michael Dillon writes:
> > There are at least three things you can do to protect yourself from such
> > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> > of incomplete socket connections.
>
> Also, hashing the incoming PCBs is a big win.
Or not even creating PCBs and socket structures for the un-acknowledged
SYNs. Keep them in a data structure that stores the pertinent info and
reconstruct the packets when the ack comes in (when you create the mbufs/
PCB/socket).
> That breaks TCP, and often badly. In fact, the problem isn't so bad
> with a properly designed kernel. The initial experiments say that
> increasing the size of the incoming connection queue, hashing the
> queue, and adaptively lowering the timeout on infant connections
> should permit you to survive pretty intense attack without stopping
> service. This is probably the best approach for people to unilaterally
> take.
Here here.
> However, in general, it would be very nice for providers to start
> filtering their customers so that they could not send forged packets
> from network numbers they don't own.
Here here here.
> Perry
Avi
More information about the NANOG
mailing list