From owner-freebsd-security Fri Jan 21 9: 6:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 59BF915500 for ; Fri, 21 Jan 2000 09:06:51 -0800 (PST) (envelope-from brett@lariat.org) Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA20620; Fri, 21 Jan 2000 10:06:44 -0700 (MST) Message-Id: <4.2.2.20000121100135.01a55390@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jan 2000 10:06:40 -0700 To: gdonl@tsc.tdk.com (Don Lewis), Matthew Dillon From: Brett Glass Subject: Re: stream.c worst-case kernel paths Cc: Alfred Perlstein , security@FreeBSD.ORG In-Reply-To: <200001211510.HAA13068@salsa.gv.tsc.tdk.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:10 AM 1/21/2000 , Don Lewis wrote: >I agree. Failing to set RST makes SYN floods worse. The victim machine >will have more sockets hanging around in a SYN-SENT state that keep sending >SYN+ACK packets until the sockets times out. If the spoofed clients send >RST packets in response, then the server will immediately nuke these >sockets and won't have their incoming bandwidth consumed by the packets >they are ignoring (they'll receive one packet and send one packet for >each spoofed SYN instead of receiving N packets and sending none if they >don't send RST packets). Good point! But should we rely on the hosts sending RSTs? Many SYN floods intentionally use unregistered IPs, for just this reason: a RST never comes back. (But an ICMP "unreachable" message may, and this congests the victim even more.) >It's also a lot easier to spoof a TCP connection from a host that doesn't >send RST packets. Also true. All of this sounds like a good argument for the application of game theory to protocol design. :-S --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message