Date: Sat, 21 Sep 1996 15:34:10 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: freebsd-security@freebsd.org Subject: SYN flood attack thoughts Message-ID: <199609212234.PAA21650@kdat.calpoly.edu>
next in thread | raw e-mail | index | archive | help
After listening to both sides of the argument (drop oldest and drop a random packet), I think the best alternative is a combination of the two, perhaps triggered by different high-water marks. In this method, when the queue reached a certain mark (say 75% of the total size), the system would begin dropping all the oldest packets, starting at the end of the queue. If this really was a malicious flood, the queue would soon reach its second high-water mark (say 95%), random drop would begin. I see this as giving the best of both worlds. At normal to slightly congested traffic amounts, only the oldest (and therefore most likely to be invalid) packets are dropped. But when connection requests approach the second level, all packets must be considered guilty until proven innocent. The only disadvantage I see here is that the algorithm is slightly more complicated. I think the final solution is dependent on the number of malicious packets one can expect versus the number of slow connections that the server will see. In medium load conditions, dropping the oldest packet seems to give the most advantage to legitimate packets, while in high load conditions, the legitimate sender is usually the one with the lowest number of connection requests. I have not tested this hybrid algorithm yet, but would appreciate input. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609212234.PAA21650>