Date: Mon, 24 Apr 2000 03:13:10 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: "Louis A. Mamakos" <louie@TransSys.COM> Cc: Assar Westerlund <assar@sics.se>, freebsd-net@FreeBSD.ORG Subject: Re: netkill - generic remote DoS attack (fwd) Message-ID: <Pine.NEB.3.96L.1000424030249.15998A-100000@fledge.watson.org> In-Reply-To: <200004232202.SAA47172@whizzo.transsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Apr 2000, Louis A. Mamakos wrote: > ... These are all decent points, and in a number senses reiterate the point I made about avoiding the introduction of new fragility and brittleness into the TCP stack. I don't think anyone here is under the impression that: 1) Changes should happen immediately without extensive testing 2) Changes should be enabled by default (there's a fair degree of precedent for minor TCP changes to avoid specific attacks, but having them enabled by run-time sysctls) 3) The scope of the changes should be broad and dramatically change the properties of long-term connections and behavior Thus far, this has been a brain-storming session to address a very specific attack in very specific environments. All ideas thrown in by various participants have been purely suggestions, and figures (such as ``30 seconds'') were ballparks to be used in back-of-napkin calculations concerning balancing effectiveness and risk. That said, while it is true (as you point out) that TCP is a well-honed tool, researched, developed, and adapted by experienced and competent people, it is also true that TCP has had to change in a number of ways over the years to reflect changing needs and environments. TCP was not designed to address denial of service attacks, and it makes sense to harden the TCP implementation against these attacks given the (relatively) recent desire by users of the protocol to resist these attacks. Given your clear experience in the area, would you have any suggestions for addressing this attack? Given exchanges with a number of victims of denial of service attacks, I respectfully suggest that for many providers, being able to accept any connections at all is still an improvement over accepting no connections :-). Knowing when to act, and when not to act, is important but should not rule out brainstorming for solutions. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000424030249.15998A-100000>