From owner-freebsd-security  Mon May 17 20: 6:41 1999
Delivered-To: freebsd-security@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP id 9582914A09
	for <security@FreeBSD.ORG>; Mon, 17 May 1999 20:06:38 -0700 (PDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA58064;
	Mon, 17 May 1999 21:05:32 -0600 (MDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA75124; Mon, 17 May 1999 21:07:05 -0600 (MDT)
Message-Id: <199905180307.VAA75124@harmony.village.org>
To: Harold Gutch <logix@foobar.franken.de>
Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD 
Cc: security@FreeBSD.ORG
In-reply-to: Your message of "Sat, 15 May 1999 00:10:18 +0200."
		<19990515001018.A22645@foobar.franken.de> 
References: <19990515001018.A22645@foobar.franken.de>  <199905140438.VAA97604@apollo.backplane.com> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <Pine.BSF.4.05.9905131824250.267-100000@rage.whitefang.com> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> <19990514225001.A22317@foobar.franken.de> <4.2.0.37.19990514154319.04610b80@localhost> 
Date: Mon, 17 May 1999 21:07:05 -0600
From: Warner Losh <imp@harmony.village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <19990515001018.A22645@foobar.franken.de> Harold Gutch writes:
: Perhaps dropping a random socket is a better approach...

RED has proven to be a good way to deal with congestion.  A few years
ago when all of this came up the first time, I did some back of the
envelope calculations that showed that randomly dropping items in the
SYN queue produced a higher percentage chance of connecting to a port
under attack than simply discarding the oldest one in the queue.

Has anybody come up with a fix for this problem?  I've not seen one
come accross.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message