Date: Fri, 20 Sep 1996 10:25:42 -0600 From: Warner Losh <imp@village.org> To: steve farrell <spfarrel@midway.uchicago.edu> Cc: newton@communica.com.au (Mark Newton), security@freebsd.org Subject: Re: comments on the SYN attack Message-ID: <199609201625.KAA29669@rover.village.org> In-Reply-To: Your message of "Fri, 20 Sep 1996 03:43:17 -0000." <199609200343.DAA03778@phaedrus.uchicago.edu> References: <199609200343.DAA03778@phaedrus.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199609200343.DAA03778@phaedrus.uchicago.edu> steve farrell writes: : but what about randomly? first: i think randomly killing packets : is a fallacy since the longer the packet remains on the queue, the : more likely it will get killed (if 1% of packets are killed every : second, then the packet which hangs out on the queue 100secs will : probably get killed, whereas the one that hangs out 10secs will : probably not.) -- so if there is an effective difference, it's : odd and probably not very important. If you have a queue of 100, say, and 1 gets killed a second, then the chances of survival for 100 seconds is about 36%. The chances of survival for 10s is 91%. Given that you'll likely have more than one valid SYN in even a 10s window, at least one of them should generally survive. Initial SYNs are retransmitted, so dropping one of them isn't bad as long as you don't drop them all. Keep in mind that randomly killing a packet produces results that aren't intitive sometimes. I would have expected after 100 hits, the chances of a packet surviving were near 0 (like .0000something). Turns out to be about 1 in 3, which is a very different property than FIFO. In a FIFO killing model after 100s you are dead no matter what, so it is a hard limit. It that property useful? My gut tells me that it is, but I have no hard evidence to back this up at this time. The goal is to make the system more useful and make the attacker harder to starve legitimate connections. Ideally, one would want to reduce it to a ping flood attack (it eats only bandwidth). Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609201625.KAA29669>