[ On , July 24, 2001 at 15:05:10 (-0400), stanislav shalunov wrote: ] > Subject: Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? > > (I'd rather throw away random connections, with preference to those > that eat a lot of buffer space). That seems illogical given the nature of the problem. You definitely want to start cleaning up by throwing away connections in the FIN_WAIT_1 state. Starting with the oldest ones may have less impact on valid connections than simply clobbering random ones, and/or clobbering the ones with the most buffers used. If you've got some way to tell which connections have ever successfully transmitted some valid data packets (i.e. gone beyond the handshake and received any ACKs) then you might initially drop only the connections which have not ever transmitted any data (er, received any valid ACKs for sent packets). I guess it is possible for the attacker(s) to work around this first-level defense though and ACK one or two data packets first, but will they? :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoodsat_private> <woodsat_private> Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private>
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 12:00:49 PDT