From owner-freebsd-security Fri Dec 1 13: 8:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CD46537B401 for ; Fri, 1 Dec 2000 13:08:48 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26265; Fri, 1 Dec 2000 14:08:36 -0700 (MST) Message-Id: <4.3.2.7.2.20001201140439.048d42f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 01 Dec 2000 14:08:29 -0700 To: "David G. Andersen" , rjh@mohawk.net (Ralph Huntington) From: Brett Glass Subject: Re: Defeating SYN flood attacks Cc: umesh@juniper.net (Umesh Krishnaswamy), freebsd-security@FreeBSD.ORG, steve@grc.com In-Reply-To: <200012012100.OAA05277@faith.cs.utah.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:00 PM 12/1/2000, David G. Andersen wrote: >Lo and behold, Ralph Huntington once said: >> >> This is very very clever. I don't see any holes in it (anyone else?). > >It needs more peer review. In particular: > > a) A good comparison to Linux's syncookies Steve *sort of* does this, but doesn't get into much detail. > b) An evaluation of the computational load of performing an > encryption on every SYN. Does this create a CPU DOS attack? Good question! This can probably be controlled by the number of rounds of encryption. > c) An evaluation of how it times out old SYN packets > (replay, packet duplication). What are the consequences? Steve's algorithm doesn't have any timeouts. I think that this is one of its weaknesses: the key is only changed at each boot, instead of, say, hourly. This leaves a server open to known plaintext attacks which can drastically limit the search space required to break the cipher. > d) Not to use a patented and licensed cipher. I see no reason not to use MD5 instead of RC5. FreeBSD already has MD5 in the kernel! --Brett >I think that my reasons for suggesting all of the above are obvious, but >if you'd like clarification, I'll spout more. > > -Dave > > >> >> On Fri, 1 Dec 2000, Brett Glass wrote: >> >> > Steve Gibson just published a great article on SYN flood avoidance, >> > complete with a mechanism that I think FreeBSD should adopt for it. >> > See >> > >> > http://grc.com/r&d/nomoredos.htm >> > >> > --Brett >> > >> > At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: >> > >> > >Hi Folks, >> > > >> > >I wanted to double-check which version of FreeBSD (if any) can address a >> > >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and >> > >ip_input.c) do not seem to have any code to address such an attack. Maybe I am >> > >missing something. >> > > >> > >So if you folks can enlighten me on whether or how to handle the SYN attack from >> > >within the kernel, I would appreciate it. I am aware of ingress filtering; while >> > >that can help attacks from randomized IP addresses, it will fail in the case of >> > >an attack from a spoofed trusted IP address. Hence the desire to look into the >> > >kernel for a fix. >> > > >> > >Thanks. >> > >Umesh. >> > > >> > > >> > > >> > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >> > >with "unsubscribe freebsd-security" in the body of the message >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >-- >work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message