From owner-freebsd-security Fri Dec 1 13: 1: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id E265337B402 for ; Fri, 1 Dec 2000 13:00:56 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id OAA05277; Fri, 1 Dec 2000 14:00:48 -0700 (MST) Message-Id: <200012012100.OAA05277@faith.cs.utah.edu> Subject: Re: Defeating SYN flood attacks To: rjh@mohawk.net (Ralph Huntington) Date: Fri, 1 Dec 2000 14:00:48 -0700 (MST) Cc: brett@lariat.org (Brett Glass), umesh@juniper.net (Umesh Krishnaswamy), freebsd-security@FreeBSD.ORG In-Reply-To: from "Ralph Huntington" at Dec 01, 2000 04:02:11 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Ralph Huntington once said: > > This is very very clever. I don't see any holes in it (anyone else?). It needs more peer review. In particular: a) A good comparison to Linux's syncookies b) An evaluation of the computational load of performing an encryption on every SYN. Does this create a CPU DOS attack? c) An evaluation of how it times out old SYN packets (replay, packet duplication). What are the consequences? d) Not to use a patented and licensed cipher. I think that my reasons for suggesting all of the above are obvious, but if you'd like clarification, I'll spout more. -Dave > > On Fri, 1 Dec 2000, Brett Glass wrote: > > > Steve Gibson just published a great article on SYN flood avoidance, > > complete with a mechanism that I think FreeBSD should adopt for it. > > See > > > > http://grc.com/r&d/nomoredos.htm > > > > --Brett > > > > At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: > > > > >Hi Folks, > > > > > >I wanted to double-check which version of FreeBSD (if any) can address a > > >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > > >ip_input.c) do not seem to have any code to address such an attack. Maybe I am > > >missing something. > > > > > >So if you folks can enlighten me on whether or how to handle the SYN attack from > > >within the kernel, I would appreciate it. I am aware of ingress filtering; while > > >that can help attacks from randomized IP addresses, it will fail in the case of > > >an attack from a spoofed trusted IP address. Hence the desire to look into the > > >kernel for a fix. > > > > > >Thanks. > > >Umesh. > > > > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message