Pat Myrto wrote:
Alex P. Rudnev has declared that:
e-mail me asking for the code.
Actually, you provided enough details, so any unix guy who knows his sockets can write the program in fifteen minutes.
This type of attack was known for a long time (and there are even nastier variations using TCP header bits and fragments), and, unfortunately, there's no good defense against it. There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers, sockets, etc) catched by any SINGLE origin (IP address, program, service).
Such approach broke just any except a few DoS attacks - for example, if you try to exhaust memory attaking single service, then (1) service can't catch all memory because it's the SINGLE origin, and (2) one SRC address can't catch many resources because it's SINGLE origin, and (3) you can't generate too many different addresses in case of reverse-filtering.
Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc) to impose such limits (configurable by admin, preferably)? Especially in the CPU usage and memory areas (perhaps sockets/handles, too).
from freebsd-current yesterday: Subject: half-fix for stream.c http://www.freebsd.org/~alfred/tcp_fix.diff damon