From owner-freebsd-hackers Fri Sep 27 13:38:54 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA09154 for hackers-outgoing; Fri, 27 Sep 1996 13:38:54 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA09129 for ; Fri, 27 Sep 1996 13:38:51 -0700 (PDT) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by who.cdrom.com (8.7.5/8.6.11) with SMTP id NAA12714 for ; Fri, 27 Sep 1996 13:38:51 -0700 (PDT) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <16808(4)>; Fri, 27 Sep 1996 13:37:01 PDT Received: from localhost by crevenia.parc.xerox.com with SMTP id <177476>; Fri, 27 Sep 1996 13:36:46 -0700 To: guido@gvr.win.tue.nl (Guido van Rooij) cc: apg@demos.net (Paul Antonov), hackers@freebsd.org Subject: Re: patch against SYN floods (RED impl.) In-reply-to: Your message of "Fri, 27 Sep 96 12:37:52 PDT." <199609271937.VAA02005@gvr.win.tue.nl> Date: Fri, 27 Sep 1996 13:36:38 PDT From: Bill Fenner Message-Id: <96Sep27.133646pdt.177476@crevenia.parc.xerox.com> Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199609271937.VAA02005@gvr.win.tue.nl> you write: >Seeing your patch: isn't it much quicker to walk down the so_q0 list and >get the pcb's from there? Not only that, but it's relatively dangerous to use information supplied by the attacker as part of your "random" number. For example, the attacker could vary his initial sequence number by tv_usec / 33 and keep the "random" number constant. The "oldest-drop" code in -current works well for moderate attack rates; a "random-drop" mode works better for a heavy attack. The best thing would be an automatic switch based upon the rate of queue drops. Bill