New Denial of Service Attack ...
Barney Wolff
barney at databus.com
Wed Sep 25 23:24:00 UTC 1996
Ok, I'm confused. Quoting from Vernon's message:
> Date: Wed, 18 Sep 1996 14:32:14 -0600
> From: vjs at mica.denver.sgi.com (Vernon Schryver)
> Subject: SYN bombing defense
>
> I've just hacked IRIX 6.3 to do random-drop when sonewconn() in
> tcp_input.c fails. It works great! An IP22 receiving 1200 bogus
> SYN's per second directed to port 23 continues to answer requests
> for new telnet as if nothing is happening.
> ...
> As I figure it, as long as the length of the queue is longer than RTT
> of the real telnet client times the rate of bogus SYNs, the real
> clients have an excellent probability of getting through on their
> first attempt. For example, at 1200 bogus SYNs/sec and the IRIX 6.3
> telnet listen queue of 383, there should be no trouble with peers
> with RTT up to about 300 milliseconds. I've tested with a telnet
> client 250 milliseconds away while simultaneously bombing the machine
> from nearby with ~1200 SYNs/sec, and see no telnet TCP retransmissions.
Because the queue is always full, you must have been doing 1200 random-
drops per second, also. A telnet client 250ms away is therefore on
average exposed to 300 random-drops, each of which has a chance of 1/383
of killing it. Its probability of survival is (1-1/383)^300, or .456,
not so good. It would be different if it were oldest-drop, but random-
drop is what's stated.
Lacking evidence, I won't argue with the experimental finding that the
problem goes away - but if so, what's wrong with my computation?
Barney Wolff <barney at databus.com>
More information about the NANOG
mailing list