North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Denial of Service Attack on Panix

  • From: Perry E. Metzger
  • Date: Mon Sep 16 21:52:07 1996

Michael Dillon writes:
> There are at least three things you can do to protect yourself from such
> attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> of incomplete socket connections.

Also, hashing the incoming PCBs is a big win.

> One is to have another machine or your network issue RST's for
> sockets that it thinks are part of the SYN flood attack.

Thats not particularly useful, since automatically detecting these
things can't be done in the general case and processing the RSTs
costs. This is ISS's approach and I don't really like it.

> And one is to install a SYN proxy machine between your net and the
> Internet which catches all SYN packets and holds them until an ACK is
> received at which point the SYN and the ACK are passed on to your network. 
> Such a proxy can be built to handle HUGE numbers of incomplete conections.

That breaks TCP, and often badly. In fact, the problem isn't so bad
with a properly designed kernel. The initial experiments say that
increasing the size of the incoming connection queue, hashing the
queue, and adaptively lowering the timeout on infant connections
should permit you to survive pretty intense attack without stopping
service. This is probably the best approach for people to unilaterally
take.

However, in general, it would be very nice for providers to start
filtering their customers so that they could not send forged packets
from network numbers they don't own.

Perry
- - - - - - - - - - - - - - - - -