On Sat, 17 Aug 1996, Darren Reed wrote:
> In some mail from Paul D. Robertson, sie said:
> [...]
> > Personally, I'm thinking that the stack should know how many slots are
> > left, and at threshold, drop FIN_* state sockets, then SYN_RECEIVED's
> > based on FIFO or something. Not perfect, but it'd help.
> >
> > Thoughts anyone?
>
> When I was first thinking of ways to combat the SYN_R'd problem, my initial
> response was to put a FIFO on the accept list and leave that constant in
> size. Thinking about that some more, I realised this didn't eliminate the
> attack, it had just changed nature but kept things ticking over and keeps
> it possible (but less certainty) that new connections will form whilst under
> attack.
Hrm, I'm still not sure the right combination of list size, and expiry
based on the state of the stack wouldn't help, if only in changing the
timeout vaules during loaded conditions.
What about some sort of state acceptance? I've seen a good TCP level
connection from this host within the last x seconds/minutes/whatever, so
I'll give him longer to connect than this machine I don't know up to a
threshold. I've seen nothing but SYNs from this host, so I'll drop his
packets for x seconds/minutes/whatever because he's a bad SYNer (*ugh*
sorry).
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
References:
|
|
