North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New form of packet attack named Stream
Pat Myrto wrote: > >Alex P. Rudnev has declared that: >> >> >> > > e-mail me asking for the code. >> > >> > Actually, you provided enough details, so any unix guy who knows >> > his sockets can write the program in fifteen minutes. >> > >> > This type of attack was known for a long time (and there are even >> > nastier variations using TCP header bits and fragments), and, unfortunately, >> > there's no good defense against it. >> There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers, >> sockets, etc) catched by any SINGLE origin (IP address, program, service). >> >> Such approach broke just any except a few DoS attacks - for example, if you try >> to exhaust memory attaking single service, then (1) service can't catch all >> memory because it's the SINGLE origin, and (2) one SRC address can't catch many >> resources because it's SINGLE origin, and (3) you can't generate too many >> different addresses in case of reverse-filtering. > >Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc) >to impose such limits (configurable by admin, preferably)? Especially >in the CPU usage and memory areas (perhaps sockets/handles, too). from freebsd-current yesterday: Subject: half-fix for stream.c http://www.freebsd.org/~alfred/tcp_fix.diff damon
|