North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Proactive steps to prevent DDOS?

  • From: Jason Legate
  • Date: Sun Jan 28 14:51:12 2001

> I would add careful use of some rate-limiting
> functionality, 
> (already mentioned in Richard Steenbergen's
> so you can rate-limit things like icmp and acks
> numbered 0 and anything
> else that show themselves to be obvious candidates
> over time.

In actuality, in a TCP SYN packet, an ack of 0 is very
common.  If you view legitimate syn's generated by
real stacks, you will see at dword offset 7:

Last time I checked, this was a 0 for all intents and
purposes.  By rate-limiting acks of 0, you are
rate-limiting most syn packets, which I don't think is
the ultimate goal.


Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.