New Denial of Service Attack ...

Barney Wolff barney at databus.com
Thu Sep 26 00:43:00 UTC 1996


> Date: Wed, 25 Sep 1996 18:01:50 -0600
> From: vjs at mica.denver.sgi.com (Vernon Schryver)
> 
> At R=100 SYNs/sec, RTT=250, and L=382, ((L-1)/L)^(RTT*R) = 93%, which
> is not so bad.  Drop-oldest is better with those three numbers, since
> it works 100% (modulo ordinary problems), but its performance falls off
> the cliff to 0% at R=L/RTT.  If you have a short queue and care about
> long RTT's, random drop is better than drop-oldest.

Agreed.  Note that 93% is not bad for a human-initiated telnet, but is
disastrous for a Web browser which initiates a dozen tcp sessions to
retrieve one page, because the browser will probably not retry at all if
it gets a reset, but instead report failure to retrieve the page to the
user, who can only ask it to start over from the beginning.  So I think
that it's better to accept the limited-radius-under-attack property of
drop-oldest, gaining the immunity from interference within the safe
radius.  If it were possible to set the syn-rcvd timeout with sub-second
granularity, this "fix" would not even take any kernel code mods - but
of course it does not adjust the safe radius dynamically as the attack
rate changes.

What's absolutely clear is that any method of queue pruning is better
than none, and a big queue is required for survival.

Barney Wolff  <barney at databus.com>





More information about the NANOG mailing list