Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Apr 2000 14:24:23 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Assar Westerlund <assar@sics.se>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: netkill - generic remote DoS attack (fwd)
Message-ID:  <Pine.NEB.3.96L.1000422141140.857D-100000@fledge.watson.org>
In-Reply-To: <5lu2guhy05.fsf@assaris.sics.se>

next in thread | previous in thread | raw e-mail | index | archive | help
On 22 Apr 2000, Assar Westerlund wrote:

> Robert Watson <rwatson@FreeBSD.ORG> writes:
> > 2) Enable keep-alives on all connections by default (we should probably do
> >    this anyway for other reasons)
> 
> I thought phk had already done this?
> 
> net.inet.tcp.always_keepalive: 1
> 
> See defaults/rc.conf:1.10

Any idea what the default idle time before keepalives kick in is?
Presumably would could adaptively change that time as the legitimacy of
the connection is determined -- i.e., really short keepalive time early in
the connection, longer later once the connection has had the opportunity
to in some way demonstrate increased legitimacy.

Of course, attacks can always become more sophisticated, but I think it's
worth handling the network-layer protocol limitations either way, as it
improves scalability, et al.  We do have to be careful not to
over-increase the brittleness of the TCP implementation as a side effect,
however. 

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000422141140.857D-100000>