From owner-freebsd-security Fri May 14 14:59:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7FEBF151EB for ; Fri, 14 May 1999 14:59:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA28917; Fri, 14 May 1999 15:58:30 -0600 (MDT) Message-Id: <4.2.0.37.19990514154319.04610b80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 14 May 1999 15:46:19 -0600 To: Harold Gutch , Matthew Dillon From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG In-Reply-To: <19990514225001.A22317@foobar.franken.de> References: <4.2.0.37.19990514133829.0461e220@localhost> <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:50 PM 5/14/99 +0200, Harold Gutch wrote: >On Fri, May 14, 1999 at 02:05:51PM -0600, Brett Glass wrote: > > Any technique that requires the originator to receive your > > SYN-ACK and generate a specific response before you commit > > resources is acceptable. Heck, you don't even really need > > a cryptographically strong hash for this. Is Linux really > > doing one MD5 per SYN? If so, I can think of a few other > > techniques that would give us a speed advantage. We'd be > > able to beat them in the benchmarks while still providing > > good protection against SYN flooding. > > >Ah, that's a very good point, I never thought of the >speed-question. Actually, it turns out that the Linux approach requires a minimum of two MD5's -- one at the time of the SYN and again when the SYNner responds to the SYN-ACK. I think there are a total of three in their algorithm. This gives us a chance to gain a LOT of speed if we can avoid doing all those MD5s. >But you are right - back to the original topic. I checked my >2.2.8 boxes and flooded them with 1 Million SYN packets taking >about 1 minute, so that's (roughly) 16000 SYNs per second. I did >not manage to kill them with this. It may also depend on the complexity of your routing tables. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message