Re: New Denial of Service Attack on Panix
Avi writes: | > But of course. The problem is that SYN_RCVD is a transient state in the | > TCP automaton, and it requires some resources allocation. The life | > might have been a little bit different if servers weren't forced | > to track this state. Something like a signed ticket accompanying the | > second SYN and the following ACK. | > | > Dima | | That's the idea of making the iss a ticket that includes mss info and | a hash of the other info plus a security ticket. | | I had hoped to work on that but it looks like someone else local is almost | done and claims that ignoring window size and any data with the SYN(s) | is harmless... "someone else local" :-) has thrown the initial implementation up on his ftp server; sun3 & sun4 .o's and a back-port to Net/2 src code (note though, I have not tested the Net/2 port): ftp.op.net:/pub/src/syn-prophylactica/ I have been able to withstand a ~600+ syn/sec attack with no noticable problems (slightly increased load, but no dropped connections). --jeff
Thanks, Jeff! I almost sent out a version with your name && e-mail address but figured you might not have time to deal with e-mail from the curious...
"someone else local" :-) has thrown the initial implementation up on his ftp server; sun3 & sun4 .o's and a back-port to Net/2 src code (note though, I have not tested the Net/2 port):
ftp.op.net:/pub/src/syn-prophylactica/
I have been able to withstand a ~600+ syn/sec attack with no noticable problems (slightly increased load, but no dropped connections).
--jeff
Avi
participants (2)
-
Avi Freedman
-
Jeff Weisberg