Date: Fri, 13 Sep 1996 09:18:40 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: terry@lambert.org (Terry Lambert) Cc: fenner@parc.xerox.com, karl@mcs.net, terry@lambert.org, avalon@coombs.anu.edu.au, freebsd-hackers@FreeBSD.org, koshy@india.hp.com Subject: Re: SYN Resisting (fwd) Message-ID: <199609122320.QAA11411@freefall.freebsd.org> In-Reply-To: <199609122202.PAA07685@phaeton.artisoft.com> from "Terry Lambert" at Sep 12, 96 03:02:21 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Terry Lambert, sie said: > > Other than that, I was a little peeved at blaming the US with the blanket > statement that the loss was on the US end of things. Ignoring perfectly > valid source quench requests (from *non*-ICMP ATM routers) is only one > of the possibilites that could be considered before calling everyone > managing NSP in the US incompetent. I think that some people are unaware of congestion at/in points such as their West Coast (i.e. LA/Bay Area) where multiple, full, pipes start for international destinations. On the other hand, our local telco is probably no better than Sprint/MCI. I suspect that most NSP's in the USA don't provide international access. The point being, when your network is all peachy from end to end, having low timeouts is (maybe) acceptable, but when your endpoints are in diverse locations and throughput is not 100%, who is really winning ? If the attacker is trying to cause denial of service, then it may be achieved by the other end when they make it harder for real users to connect quick enough. To my thinking, this is a silly solution (but a reasonable patch for the sysctl :) to the SYN problem. The problem must and can only be fixed with correct filtering by all ISPs so long as we use the current IP. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609122320.QAA11411>