North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New form of packet attack named Stream

  • From: Damon M. Conway
  • Date: Fri Jan 21 17:00:35 2000

 Pat Myrto wrote:
>Alex P. Rudnev has declared that:
>> > > e-mail me asking for the code.
>> > 
>> > Actually, you provided enough details, so any unix guy who knows
>> > his sockets can write the program in fifteen minutes.
>> > 
>> > This type of attack was known for a long time (and there are even
>> > nastier variations using TCP header bits and fragments), and, unfortunately,
>> > there's no good defense against it.
>> There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers,
>> sockets, etc) catched by any SINGLE origin (IP address, program, service).
>> Such approach broke just any except a few DoS attacks - for example, if you try
>> to exhaust memory attaking single service, then (1) service can't catch all
>> memory because it's the SINGLE origin, and (2) one SRC address can't catch many
>> resources because it's SINGLE origin, and (3) you can't generate too many
>> different addresses in case of reverse-filtering.
>Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc)
>to impose such limits (configurable by admin, preferably)?  Especially
>in the CPU usage and memory areas (perhaps sockets/handles, too).

from freebsd-current yesterday:

Subject: half-fix for stream.c