North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS, ICMP, proxies, SYNDefender

  • From: Avi Freedman
  • Date: Fri Oct 04 16:21:19 1996

See Jeff Weisberg's post to nanog yesterday.
It can be solved in tcp_input.c, even for tens of thousands
of syn packets/second.  Just keep no state until the syn/ack
comes back (and with a valid hash matching one you would have
supplied as an initial seq number).

Avi

> Dimo laments: > Yep. Life sucks and we all die.  
> 
> Victor Hugo, _The Hunchback of Notre Dame_ and _Les Miserables_
> both inspired by the author seeing the word FATALITY graphically
> painted on a wall in Paris.  (I highly recommend _Les Miserables_)
> Jean Valjean, the man who, for stealing a loaf of bread to
> feed a starving family, lives out his entire life in misery...
> ... hence, FATALITY (set in Paris in the early 1800s)
> 
> Anyway  .....
> 
> I'll drop off unless someone can provide a technical suggestion
> on an algorithm that will stop high speed TCP SYN attacks
> in tcp_input.c (otherwise, I'm not moving toward my aim/target)
> 
> What is the IPV6 approach to solving this problem?  Is there one?
> 
> Regards,
> 
> Tim

- - - - - - - - - - - - - - - - -