From owner-freebsd-security Fri Sep 20 09:26:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA23158 for security-outgoing; Fri, 20 Sep 1996 09:26:21 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA23090 for ; Fri, 20 Sep 1996 09:26:07 -0700 (PDT) Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with ESMTP id KAA29669; Fri, 20 Sep 1996 10:25:42 -0600 (MDT) Message-Id: <199609201625.KAA29669@rover.village.org> To: steve farrell Subject: Re: comments on the SYN attack Cc: newton@communica.com.au (Mark Newton), security@freebsd.org In-reply-to: Your message of "Fri, 20 Sep 1996 03:43:17 -0000." <199609200343.DAA03778@phaedrus.uchicago.edu> References: <199609200343.DAA03778@phaedrus.uchicago.edu> Date: Fri, 20 Sep 1996 10:25:42 -0600 From: Warner Losh Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199609200343.DAA03778@phaedrus.uchicago.edu> steve farrell writes: : but what about randomly? first: i think randomly killing packets : is a fallacy since the longer the packet remains on the queue, the : more likely it will get killed (if 1% of packets are killed every : second, then the packet which hangs out on the queue 100secs will : probably get killed, whereas the one that hangs out 10secs will : probably not.) -- so if there is an effective difference, it's : odd and probably not very important. If you have a queue of 100, say, and 1 gets killed a second, then the chances of survival for 100 seconds is about 36%. The chances of survival for 10s is 91%. Given that you'll likely have more than one valid SYN in even a 10s window, at least one of them should generally survive. Initial SYNs are retransmitted, so dropping one of them isn't bad as long as you don't drop them all. Keep in mind that randomly killing a packet produces results that aren't intitive sometimes. I would have expected after 100 hits, the chances of a packet surviving were near 0 (like .0000something). Turns out to be about 1 in 3, which is a very different property than FIFO. In a FIFO killing model after 100s you are dead no matter what, so it is a hard limit. It that property useful? My gut tells me that it is, but I have no hard evidence to back this up at this time. The goal is to make the system more useful and make the attacker harder to starve legitimate connections. Ideally, one would want to reduce it to a ping flood attack (it eats only bandwidth). Warner