Re: TCP SYN attacks - a simple solution
best solution known so far is Random Drop of waiting connections once queue fills to a limit at least as large as design RTT*Attack-Rate (queues in the 350-400 range appear to be quite sufficient for RTTs in the 250msec range with 1000-packets/second attacks). Some also argue that somewhat more aggressive aging with Oldest Drop (aka FIFO) also helps while the queue fills to the point of instigating Random Drop. One can mutter about where transition between Oldest and Random should occur. I'm willing to believe hybrid strategy could be better at possible cost of more complexity. (although more agressive Oldest Drop is probably just a timer tweek.) Note that with Random Drop and 350-400 max queue size legit connections almost always complete on the first SYN with no retransmission. cheers, -mo
best solution known so far is Random Drop of waiting connections
.... Random Drop and Oldest drop do not work against high speed attacks. I thought it was agreed by all on this list last week that Jeff's solution to delay data structure initialization until after the handshake is complete was more reliable than Random Drop and is proven by Jeff on BSD to work with high speed attacks. I'm confused on the "Random Drop is best" statement, Mike? There are very reliable 'others' who seem to have a better and more robust solution. Why the bias toward a solution that does not work but in the slow case? Best Regards, Tim
Tim Bass writes:
best solution known so far is Random Drop of waiting connections ....
Random Drop and Oldest drop do not work against high speed attacks.
In combination with Borman's minimization of the half open datastructures (and hash tabling of those structures), they work pretty well against fairly nasty attack.
I thought it was agreed by all on this list last week
No it wasn't. There are, however, people that don't want to pollute all these lists with this chatter.
that Jeff's solution to delay data structure initialization until after the handshake is complete was more reliable than Random Drop and is proven by Jeff on BSD to work with high speed attacks.
The stated technique is flawed in several ways. Among others, it breaks SYN filtering firewalls and breaks several important forms of TCP option negotiation. Perry
participants (3)
-
Mike O'Dell
-
Perry E. Metzger
-
Tim Bass