Date: Fri, 01 Dec 2000 14:08:29 -0700 From: Brett Glass <brett@lariat.org> To: "David G. Andersen" <dga@pobox.com>, rjh@mohawk.net (Ralph Huntington) Cc: umesh@juniper.net (Umesh Krishnaswamy), freebsd-security@FreeBSD.ORG, steve@grc.com Subject: Re: Defeating SYN flood attacks Message-ID: <4.3.2.7.2.20001201140439.048d42f0@localhost> In-Reply-To: <200012012100.OAA05277@faith.cs.utah.edu> References: <Pine.BSF.4.21.0012011601470.92040-100000@mohegan.mohawk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:00 PM 12/1/2000, David G. Andersen wrote: >Lo and behold, Ralph Huntington once said: >> >> This is very very clever. I don't see any holes in it (anyone else?). > >It needs more peer review. In particular: > > a) A good comparison to Linux's syncookies Steve *sort of* does this, but doesn't get into much detail. > b) An evaluation of the computational load of performing an > encryption on every SYN. Does this create a CPU DOS attack? Good question! This can probably be controlled by the number of rounds of encryption. > c) An evaluation of how it times out old SYN packets > (replay, packet duplication). What are the consequences? Steve's algorithm doesn't have any timeouts. I think that this is one of its weaknesses: the key is only changed at each boot, instead of, say, hourly. This leaves a server open to known plaintext attacks which can drastically limit the search space required to break the cipher. > d) Not to use a patented and licensed cipher. I see no reason not to use MD5 instead of RC5. FreeBSD already has MD5 in the kernel! --Brett >I think that my reasons for suggesting all of the above are obvious, but >if you'd like clarification, I'll spout more. > > -Dave > > >> >> On Fri, 1 Dec 2000, Brett Glass wrote: >> >> > Steve Gibson just published a great article on SYN flood avoidance, >> > complete with a mechanism that I think FreeBSD should adopt for it. >> > See >> > >> > http://grc.com/r&d/nomoredos.htm >> > >> > --Brett >> > >> > At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: >> > >> > >Hi Folks, >> > > >> > >I wanted to double-check which version of FreeBSD (if any) can address a >> > >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and >> > >ip_input.c) do not seem to have any code to address such an attack. Maybe I am >> > >missing something. >> > > >> > >So if you folks can enlighten me on whether or how to handle the SYN attack from >> > >within the kernel, I would appreciate it. I am aware of ingress filtering; while >> > >that can help attacks from randomized IP addresses, it will fail in the case of >> > >an attack from a spoofed trusted IP address. Hence the desire to look into the >> > >kernel for a fix. >> > > >> > >Thanks. >> > >Umesh. >> > > >> > > >> > > >> > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >> > >with "unsubscribe freebsd-security" in the body of the message >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >-- >work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20001201140439.048d42f0>