Date: Sat, 22 Apr 2000 14:24:23 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Assar Westerlund <assar@sics.se> Cc: freebsd-net@FreeBSD.ORG Subject: Re: netkill - generic remote DoS attack (fwd) Message-ID: <Pine.NEB.3.96L.1000422141140.857D-100000@fledge.watson.org> In-Reply-To: <5lu2guhy05.fsf@assaris.sics.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 Apr 2000, Assar Westerlund wrote: > Robert Watson <rwatson@FreeBSD.ORG> writes: > > 2) Enable keep-alives on all connections by default (we should probably do > > this anyway for other reasons) > > I thought phk had already done this? > > net.inet.tcp.always_keepalive: 1 > > See defaults/rc.conf:1.10 Any idea what the default idle time before keepalives kick in is? Presumably would could adaptively change that time as the legitimacy of the connection is determined -- i.e., really short keepalive time early in the connection, longer later once the connection has had the opportunity to in some way demonstrate increased legitimacy. Of course, attacks can always become more sophisticated, but I think it's worth handling the network-layer protocol limitations either way, as it improves scalability, et al. We do have to be careful not to over-increase the brittleness of the TCP implementation as a side effect, however. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000422141140.857D-100000>