On Fri, Feb 18, 2000 at 03:10:18PM -0500, Paul Cardon wrote: > There are strategies for managing this buffer that make it more > resistant to attack. Simply increasing the buffer size and decreasing > the timeout value are not sufficient. I don't have the exact page > number, but see the section of Unix Network Programming Volume 1 (Second > Edition) that describes the backlog parameter of listen(). There are > references to two strategies for making the stack more resistant to SYN > Floods. On the face of it I don't see how RSA's strategy improves > anything but I also have yet to read the entire thing. A strategy design by Dan Bernstein called SYN cookies (ftp://koobera.math.uic.edu/pub/docs/syncookies-archive) prevents the buffer from overflowing on a machine under attack. The basic idea is to encode some connection parameters in the initial sequence number that is sent back in the SYN-ACK TCP packet and then forget about the connection altogether. If a reply to this packet ever comes back you complete the connection attempt. This mechanism is available on Linux and some BSD variants. The client-puzzle protocol does not seem such a great idea to me. A _distributed_ DOS attack will have lots of CPU power to do the puzzles. Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:25 PDT