From owner-freebsd-net Sun Apr 23 20:23:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 6C04C37B68B for ; Sun, 23 Apr 2000 20:23:14 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id XAA31753; Sun, 23 Apr 2000 23:23:08 -0400 (EDT) (envelope-from wollman) Date: Sun, 23 Apr 2000 23:23:08 -0400 (EDT) From: Garrett Wollman Message-Id: <200004240323.XAA31753@khavrinen.lcs.mit.edu> To: "Louis A. Mamakos" Cc: freebsd-net@FreeBSD.ORG Subject: Re: netkill - generic remote DoS attack (fwd) In-Reply-To: <200004232202.SAA47172@whizzo.transsys.com> References: <200004232202.SAA47172@whizzo.transsys.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Perhaps if you're concerned that random people are attacking your system > by using the way TCP functions, you should instead use IPSEC to authenticate > the remote party before allowing the connection to open? Not helpful. The reason why these DoS attacks are so successful is that it's the server-operator's business to offer service to all comers. To restrict access (particularly to the tiny subset of the population which would be authenticable using IPSEC) would defeat the entire purpose of the server. Unfortunately, this particular DoS is inherent in the TCP design. There are a whole bunch of others that are not as widely known, which have (relatively) easier solutions. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message