nanog mailing list archives
RE: engineering --> ddos and flooding
From: Matt Zito <mzito () register com>
Date: Mon, 4 Jun 2001 15:24:26 -0400
-----Original Message----- From: Richard A. Steenbergen [mailto:ras () e-gerbil net] Sent: Monday, June 04, 2001 3:09 PM To: Matt Zito Cc: Paul Johnson; nanog () merit edu Subject: RE: engineering --> ddos and floodingRate-limiting ICMP is not so difficult - rate-limiting SYNs is basically useless. Syn floods work not because the amountof trafficthey do, but because they fill up state tables or make them so horribly inefficient as to make the box cease responding onthat port.Given that, say, a linux box has a default queue depth of 128, I can send 128 spoofed SYNs at a rate of one a second, and in two minutes that box will stop responding. The larger you make the queue, the longer it will stand up to a slow SYN attack, but the morecostly eachincoming SYN and SYN+ACK becomes, as the data structures become more and more unwieldy.Wrong, and very much out of date. I didn't write all this down to waste my breath... http://www.e-gerbil.net/ras/projects/dos/dos.txt
Well, what I said is inaccurate for SOME operating systems. A default linux box today still has a 128-syn queue. Unless you enable syn cookies, you're screwed - I haven't checked BSD or Solaris for slow-syn behavior recently. Syn cookies also aren't a magic bullet - you lose TCP options that some people really want/need. And rate-limiting SYN is still a bad idea - if you rate-limit to a certain bandwidth, either your server will not be able to handle the incoming syns and will stop responding, or legitimate incoming traffic will hit the floor because the queue on the router is full (or approaching full and RED is invoked) and legitimate incoming requests will be dropped. This might be okay for places where one server performs many functions - i.e. the box is still available on other ports, but in larger infrastructures, a box generally has one purpose, and if its purposed port is down, the box might as well be turned off. So, I prefer solutions that negotiate the connection before passing it back to the host - like (insert basically any firewall product here). Some do it better than others, of course - the netscreen 100, 500, and 1000 seem much better than anything else the field has to offer. Thanks, Matt
Current thread:
- Re: engineering --> ddos and flooding, (continued)
- Re: engineering --> ddos and flooding Hank Nussbacher (Jun 03)
- Re: engineering --> ddos and flooding Geoff Zinderdine (Jun 04)
- Re: engineering --> ddos and flooding Sykes, Phil (Jun 01)
- Re: engineering --> ddos and flooding Paul Johnson (Jun 04)
- Re: engineering --> ddos and flooding Mark Mentovai (Jun 04)
- Re: engineering --> ddos and flooding Valdis . Kletnieks (Jun 04)
- Re: engineering --> ddos and flooding Dan Hollis (Jun 04)
- RE: engineering --> ddos and flooding Matt Zito (Jun 04)
- RE: engineering --> ddos and flooding Hank Nussbacher (Jun 04)
- RE: engineering --> ddos and flooding Richard A. Steenbergen (Jun 04)
- RE: engineering --> ddos and flooding Matt Zito (Jun 04)
- RE: engineering --> ddos and flooding Richard A. Steenbergen (Jun 04)