nanog mailing list archives
Re: New Denial of Service Attack ...
From: Barney Wolff <barney () databus com>
Date: Wed, 25 Sep 1996 20:43 EDT
Date: Wed, 25 Sep 1996 18:01:50 -0600 From: vjs () mica denver sgi com (Vernon Schryver) At R=100 SYNs/sec, RTT=250, and L=382, ((L-1)/L)^(RTT*R) = 93%, which is not so bad. Drop-oldest is better with those three numbers, since it works 100% (modulo ordinary problems), but its performance falls off the cliff to 0% at R=L/RTT. If you have a short queue and care about long RTT's, random drop is better than drop-oldest.
Agreed. Note that 93% is not bad for a human-initiated telnet, but is disastrous for a Web browser which initiates a dozen tcp sessions to retrieve one page, because the browser will probably not retry at all if it gets a reset, but instead report failure to retrieve the page to the user, who can only ask it to start over from the beginning. So I think that it's better to accept the limited-radius-under-attack property of drop-oldest, gaining the immunity from interference within the safe radius. If it were possible to set the syn-rcvd timeout with sub-second granularity, this "fix" would not even take any kernel code mods - but of course it does not adjust the safe radius dynamically as the attack rate changes. What's absolutely clear is that any method of queue pruning is better than none, and a big queue is required for survival. Barney Wolff <barney () databus com> - - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack ... postel (Sep 24)
- Re: New Denial of Service Attack ... Christopher Blizzard (Sep 25)
- Re: New Denial of Service Attack ... Tim Bass (Sep 25)
- Re: New Denial of Service Attack ... Christopher Blizzard (Sep 25)
- Re: New Denial of Service Attack ... Tim Bass (Sep 25)
- <Possible follow-ups>
- Re: New Denial of Service Attack ... Ran Atkinson (Sep 25)
- Re: New Denial of Service Attack ... Leonid Egoshin (Sep 25)
- Re: New Denial of Service Attack ... Barney Wolff (Sep 25)
- Re: New Denial of Service Attack ... Vernon Schryver (Sep 25)
- Re: New Denial of Service Attack ... Barney Wolff (Sep 25)
- Re: New Denial of Service Attack ... Vernon Schryver (Sep 25)
- Re: New Denial of Service Attack ... Christopher Blizzard (Sep 25)