North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: New Denial of Service Attack ...
Ok, I'm confused. Quoting from Vernon's message: > Date: Wed, 18 Sep 1996 14:32:14 -0600 > From: firstname.lastname@example.org (Vernon Schryver) > Subject: SYN bombing defense > > I've just hacked IRIX 6.3 to do random-drop when sonewconn() in > tcp_input.c fails. It works great! An IP22 receiving 1200 bogus > SYN's per second directed to port 23 continues to answer requests > for new telnet as if nothing is happening. > ... > As I figure it, as long as the length of the queue is longer than RTT > of the real telnet client times the rate of bogus SYNs, the real > clients have an excellent probability of getting through on their > first attempt. For example, at 1200 bogus SYNs/sec and the IRIX 6.3 > telnet listen queue of 383, there should be no trouble with peers > with RTT up to about 300 milliseconds. I've tested with a telnet > client 250 milliseconds away while simultaneously bombing the machine > from nearby with ~1200 SYNs/sec, and see no telnet TCP retransmissions. Because the queue is always full, you must have been doing 1200 random- drops per second, also. A telnet client 250ms away is therefore on average exposed to 300 random-drops, each of which has a chance of 1/383 of killing it. Its probability of survival is (1-1/383)^300, or .456, not so good. It would be different if it were oldest-drop, but random- drop is what's stated. Lacking evidence, I won't argue with the experimental finding that the problem goes away - but if so, what's wrong with my computation? Barney Wolff <email@example.com> - - - - - - - - - - - - - - - - -