Date: Thu, 19 Sep 1996 23:13:21 -0600 From: Warner Losh <imp@village.org> To: newton@communica.com.au (Mark Newton) Cc: security@FreeBSD.org Subject: Re: comments on the SYN attack Message-ID: <199609200513.XAA26063@rover.village.org> In-Reply-To: Your message of Fri, 20 Sep 1996 14:23:17 %2B0930
next in thread | raw e-mail | index | archive | help
: I'd suggest that keeping the SYN list sorted by arrival time and dropping : the oldest SYN whenever resources are scarse would be a better solution : (it's more deterministic, for a start. Also, one of the evil things : about random number generators is that they're not random...) The random numbers wouldn't have to be perfect in this case. They would just have to pick a victum. The randomness is part of the solution, so changing it would change the character of it dramatically. : However, even that won't "solve" the problem: A determined SYN bomber : would merely have to ensure that he sent packets quickly enough to : make the queue cycle completely within the 200mSec or so that one : can reasonable expect a SYN-SYN/ACK-ACK exchange to take (keep the : un-ACK'ed SYNs walking thorugh the list LED-chaser style). That's a : somewhat higher transmission rate than the one required to cause denial : of service under current implementations, but it's still well within : the realms of possibility :-/ I think that's why you'd have to do it at random. : If the bomber isn't that determined, dropping the oldest SYN will ensure : that those SYNs which aren't the oldest (eg: the one you just planted onto : the queue by typing "telnet hostname") don't get dropped unless load is : exceptional. That is true. However, my gut tells me that the random victum will give better behavior than the shoot the oldest one. If you have a queue length of 1000, and can deliver 500 bogus SYNs in the 200mS that it takes, then you'd have a 60% chance of not dropping the good SYN (1 - .999 ^ 500 = 60%). If you can deliver 1000 bogus SYNs in that time, then the deterministic method would have a 0% chance, and the random method would have a 35% chance of surviving (if bc on my machine for .999^1000 can be trusted). Given that SYNs are retransmitted, then you'd be able to get after 2 tries on the average. If the bomber can pump 10,000 packets in, then you lose (< 0.0045% chance of survival). Even 5,000 drop it to 0.6%. However, 5,000 packets in 200mS is 25,000 packets in a second, which would be 1MB/s or 10Mb/s. So you'd be safe as long as you are behind something of T1 speed or slower :-) If you aren't then you'll need longer queues... I agree it isn't perfect, but it seems better than the alternatives. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609200513.XAA26063>