On Thu, May 02, 2002 at 01:42:03AM -0700, Alexei Roudnev wrote:
It's a common approach - NEVER refuse new requests for the resource, if there is not enougph resource, drop some of the old users of the resource... In a lot of cases, it will derevent deadlock because you will be dropping the users who exhausted resource more than _correct_ users. It relay to the half connections, memory, etc etc...
If case of _random_ IP addresses - ok, what's happen if you'll drop (always) FIRST packet from any new IP address? For the good SYN packet, you will receive a second request in a second; for a false one, you just filter out DDOS itself. This is not universal, but for the simple DDOS it will work.
It all depends on *what* is being DoS'd. The application? The TCP listen queue? The number of interrupts/sec that box can handle? The pipe on that box? The switch? The router? The providers router? The pipe between any of the previous 3? Any of these are potentially valid targets. Given a network which doesn't break, one can very easily expect a FreeBSD -STABLE box on a p3 1GHz to survive at least 100kpps of SYN flood. Past 144kpps you clog FastE completely, and need to go to GigE. I've seen well configured servers eatting 250kpps of SYN floods while still providing uninterrupted service, which is probably more then your router will be able to handle unless its a GSR or Juniper. But if you are on a DS3, or even if you have an OC48 from a provider who either doesn't want to or doesn't know how to protect their infrastructure from attacks, all of that means absolutily NOTHING. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)