From owner-freebsd-security Fri Sep 20 23:57:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA05385 for security-outgoing; Fri, 20 Sep 1996 23:57:05 -0700 (PDT) Received: from psychotic.communica.com.au (gw.communica.com.au [203.8.94.161]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA05344 for ; Fri, 20 Sep 1996 23:56:59 -0700 (PDT) Received: from communica.com.au (newton@frenzy [192.82.222.1]) by psychotic.communica.com.au (8.6.12/8.6.9) with SMTP id QAA10625; Sat, 21 Sep 1996 16:23:39 +0930 Received: by communica.com.au (4.1/SMI-4.1) id AA03742; Sat, 21 Sep 96 16:22:46 CST From: newton@communica.com.au (Mark Newton) Message-Id: <9609210652.AA03742@communica.com.au> Subject: Re: comments on the SYN attack To: imp@village.org (Warner Losh) Date: Sat, 21 Sep 1996 16:22:46 +0930 (CST) Cc: spfarrel@midway.uchicago.edu, newton@communica.com.au, security@FreeBSD.ORG In-Reply-To: <199609201625.KAA29669@rover.village.org> from "Warner Losh" at Sep 20, 96 10:25:42 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: > : but what about randomly? first: i think randomly killing packets > : is a fallacy since the longer the packet remains on the queue, the > : more likely it will get killed (if 1% of packets are killed every > : second, then the packet which hangs out on the queue 100secs will > : probably get killed, whereas the one that hangs out 10secs will > : probably not.) -- so if there is an effective difference, it's > : odd and probably not very important. > > If you have a queue of 100, say, and 1 gets killed a second, then the > chances of survival for 100 seconds is about 36%. The chances of > survival for 10s is 91%. Given that you'll likely have more than one > valid SYN in even a 10s window, at least one of them should generally > survive. Initial SYNs are retransmitted, so dropping one of them > isn't bad as long as you don't drop them all. This is so bogus, Warner. You keep putting forward lots of good reasons which make the random approach better, but you neglect the fact that those exact, same factors make the deterministic approach better too. At the end of the day, both approaches collapse to exactly the same thing: They both have the OS saying, "Hmm - A SYN has just arrived and I don't have space for it, so I'll nuke an existing SYN to make room." The difference between the two is that the random method makes no effort to bias itself in favour of newly arrived packets which haven't had a chance to be SYN-ACK'ed yet. The two approaches are so similar that if you were to implement the random approach, I could transform it into the deterministic approach by merely *changing your random number generator routine*. Algorithmically speaking, we're talking about *EXACTLY* the same thing; you're just leaving out the bias whiich favours the algorithm towards new arrivals. > FIFO. In a FIFO killing model after 100s you are dead no matter > what, so it is a hard limit. This is a good thing, Warner: With your model, there is a 36% chance that a bad SYN will still be in the queue after 100s, according to your figures. :-) - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au