Date: Sat, 28 Sep 1996 00:55:24 +0400 (MSD) From: apg@demos.net (Paul Antonov) To: Bill Fenner <fenner@parc.xerox.com>, Guido van Rooij <guido@gvr.win.tue.nl> Cc: Paul Antonov <apg@demos.net>, hackers@freebsd.org Subject: Re: patch against SYN floods (RED impl.) Message-ID: <oFyy3JouB0@dream.demos.su> In-Reply-To: <96Sep27.133646pdt.177476@crevenia.parc.xerox.com>; from Bill Fenner at Fri, 27 Sep 1996 13:36:38 PDT References: <96Sep27.133646pdt.177476@crevenia.parc.xerox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <96Sep27.133646pdt.177476@crevenia.parc.xerox.com> Bill
Fenner writes:
>Not only that, but it's relatively dangerous to use information supplied
>by the attacker as part of your "random" number. For example, the attacker
>could vary his initial sequence number by tv_usec / 33 and keep the
>"random" number constant.
Yes, I agree that better random function is necessary. My own test flood
generator uses random seq's - it's too good :) Any ideas?
>The "oldest-drop" code in -current works well for moderate attack rates;
>a "random-drop" mode works better for a heavy attack. The best thing
>would be an automatic switch based upon the rate of queue drops.
Mmm, I just tested - only 10 syns/sec bring down 2.2-current with default
listen() queue parameters, and even 100 doesn't do anything noticeable
with the above patch. 'oldest-drop' introduces too strong RTT discrimination.
No problem when you're on the same ethernet, but when you're at home ...;-)
-- Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?oFyy3JouB0>