|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
Now can I hold my breath waiting for vendors to incorporate this stuff into their products? Has anybody heard anything from Sun on this matter? Dima Mike O'Dell writes: > > Vern Schriver at SGI has been running experiements and > the conclusions are pretty compelling. > > Have the listen queue do Random Drop of waiting connections. > If the queue size is equal or greater than the attack rate > times the expected roud-trip time, the probability of a > real session connecting on the first SYN is very close to one. > > Note this performs much better than "oldest drop" (aka FIFO). > > In his tests, a machine sustained a 1200 SYN/second attack > with no observable impact in system performance. With a > queue size of 383, from a machine 250 msec round-trip thousands > of connections completed with only a handful of initial SYN > retransmissions (again, with a 1200 SYN/sec attack). > > Best way to make the bogons leave is to make it not fun anymore. > > This certainly seems to accomplish the goal. > > -mo > - - - - - - - - - - - - - - - - -
|