Vern Schriver at SGI has been running experiements and the conclusions are pretty compelling.
Yes, I have been looking for 'another approach' other than random drop, just as an alternative. But, since ICMP/IP seems to be broken, using ICMP UNREACHABLE error messages does not work. I agree that random drop is 'best current idea' (BCI :-) However, I think it is prudent to look at other possible approaches as well. This is what I have been doing in the lab; looking to see if any other practical alternatives exist at the kernel implementation of TCP/IP. My efforts in the lab do not imply that random drop is not a good idea. On the contrary, the more I look for an alternative solution, the better random drop appears. However, it is interesting to see if another kernel mod would work as well......... I do worry about the limitation of the queue drop algorithm based on queue size and delay. FYI: I implemented 'someones' version of random drop on my servers (using their patch) and the servers all crashed (when the attack was fast and hard on the same subnet). There is a lot of work to be done. Thanks, Tim