From owner-freebsd-security  Sat Sep 21 15:34:14 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA24703
          for security-outgoing; Sat, 21 Sep 1996 15:34:14 -0700 (PDT)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA24681
          for <freebsd-security@freebsd.org>; Sat, 21 Sep 1996 15:34:06 -0700 (PDT)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id PAA21650; Sat, 21 Sep 1996 15:34:10 -0700
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199609212234.PAA21650@kdat.calpoly.edu>
Subject: SYN flood attack thoughts
To: freebsd-security@freebsd.org
Date: Sat, 21 Sep 1996 15:34:10 -0700 (PDT)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

After listening to both sides of the argument (drop oldest and drop a random
packet), I think the best alternative is a combination of the two, perhaps 
triggered by different high-water marks.

In this method, when the queue reached a certain mark (say 75% of the total
size), the system would begin dropping all the oldest packets, starting at the
end of the queue.  If this really was a malicious flood, the queue would soon
reach its second high-water mark (say 95%), random drop would begin.

I see this as giving the best of both worlds.  At normal to slightly
congested traffic amounts, only the oldest (and therefore most likely to be
invalid) packets are dropped.  But when connection requests approach the
second level, all packets must be considered guilty until proven innocent.
 
The only disadvantage I see here is that the algorithm is slightly more
complicated.  I think the final solution is dependent on the number of
malicious packets one can expect versus the number of slow connections that
the server will see.  In medium load conditions, dropping the oldest packet
seems to give the most advantage to legitimate packets, while in high load
conditions, the legitimate sender is usually the one with the lowest number 
of connection requests.

I have not tested this hybrid algorithm yet, but would appreciate input.

-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Senior                    evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854