North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Denial of Service Attack on Panix

  • From: Tim Bass
  • Date: Thu Oct 03 12:09:33 1996

> 
> Vern Schriver at SGI has been running experiements and 
> the conclusions are pretty compelling.
> 

Yes, I have been looking for 'another approach' other than random
drop, just as an alternative.  But, since ICMP/IP seems to be
broken, using ICMP UNREACHABLE error messages does not work.

I agree that random drop is 'best current idea' (BCI :-)
However, I think it is prudent to look at other possible
approaches as well.  This is what I have been doing in the lab;
looking to see if any other practical alternatives exist
at the kernel implementation of TCP/IP.

My efforts in the lab do not imply that random drop 
is not a good idea.   On the contrary, the
more I look for an alternative solution, the better
random drop appears.  

However, it is interesting to see if another kernel
mod would work as well.........  I do worry about
the limitation of the queue drop algorithm based
on queue size and delay.  

FYI:  I implemented 'someones' version of random drop
on my servers (using their patch) and the servers
all crashed (when the attack was fast and hard on
the same subnet).  There is a lot of work to be
done.

Thanks,

Tim

- - - - - - - - - - - - - - - - -