North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
> Michael Dillon writes: > > There are at least three things you can do to protect yourself from such > > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers > > of incomplete socket connections. > > Also, hashing the incoming PCBs is a big win. Or not even creating PCBs and socket structures for the un-acknowledged SYNs. Keep them in a data structure that stores the pertinent info and reconstruct the packets when the ack comes in (when you create the mbufs/ PCB/socket). > That breaks TCP, and often badly. In fact, the problem isn't so bad > with a properly designed kernel. The initial experiments say that > increasing the size of the incoming connection queue, hashing the > queue, and adaptively lowering the timeout on infant connections > should permit you to survive pretty intense attack without stopping > service. This is probably the best approach for people to unilaterally > take. Here here. > However, in general, it would be very nice for providers to start > filtering their customers so that they could not send forged packets > from network numbers they don't own. Here here here. > Perry Avi - - - - - - - - - - - - - - - - -
|