North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP SYN attacks
Avi Freedman writes: > > > Now what is 100,000 entries? With the timeout aggressively set at 10 > > secs (heck, with 10 secs I sometimes cannot even get all the images on > > home.netscape.com) it's only 1000 SYNs/sec. How many hosts you want to > > protect with such a firewall? > > > > Dima > > A timeout of 10 seconds is on two packets going back and forth. > Many have said that the timeout must be much higher. I just don't > see it. A SYN arrives. A SYN-ACK is sent out. A 10 second timer > starts that is counted down to 0. An ACK of that SYN-ACK arrives > back within the 10 seconds and we set up the connection. If the > two packets can't each go one way in 10 seconds, the SYN will be > retransmitted. (quoting myself): (heck, with 10 secs I sometimes cannot even get all the images on home.netscape.com) My kernel values: tcp_ip_abort_cinterval 10000 tcp_ip_notify_cinterval 1000 In Solaris, these values work for both incoming and outgoing connections. I could have lowered the notify_cinterval even more though. And I'm not even on a dial-up line: traceroute to www30.netscape.com (207.12.240.31), 30 hops max, 40 byte packets 1 206.229.244.1 (206.229.244.1) 159 ms 106 ms 10 ms 2 sl-dc-17-S1/0-T1.sprintlink.net (144.228.0.225) 11 ms 7 ms 15 ms 3 sl-dc-6-F0/0.sprintlink.net (144.228.20.6) 19 ms 8 ms 8 ms 4 sl-stk-5-H1/0-T3.sprintlink.net (144.228.10.2) 80 ms 81 ms 79 ms 5 sl-stk-16-F0/0.sprintlink.net (144.228.40.16) 77 ms 79 ms 81 ms 6 sl-netscape-1-s-T3.sprintlink.net (144.228.146.26) 223 ms 101 ms 162 ms 7 207.12.240.31 (207.12.240.31) 147 ms 85 ms 92 ms > My preferred approach is to not even have to store state on any > of the embryonic connections. And to implement the fix on all > of my hosts. And customers can implement it in a firewall, if > they choose (and have boxes which can't be fixed: Win95, NT, Macs, ...). That's for sure. The only thing that bothers me with this approach - why we need all those stinking options in TCP SYN packets then? > Avi Dima - - - - - - - - - - - - - - - - -
|