Date: Fri, 21 Jan 2000 10:06:40 -0700 From: Brett Glass <brett@lariat.org> To: gdonl@tsc.tdk.com (Don Lewis), Matthew Dillon <dillon@apollo.backplane.com> Cc: Alfred Perlstein <bright@wintelcom.net>, security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <4.2.2.20000121100135.01a55390@localhost> In-Reply-To: <200001211510.HAA13068@salsa.gv.tsc.tdk.com> References: <Matthew Dillon <dillon@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:10 AM 1/21/2000 , Don Lewis wrote: >I agree. Failing to set RST makes SYN floods worse. The victim machine >will have more sockets hanging around in a SYN-SENT state that keep sending >SYN+ACK packets until the sockets times out. If the spoofed clients send >RST packets in response, then the server will immediately nuke these >sockets and won't have their incoming bandwidth consumed by the packets >they are ignoring (they'll receive one packet and send one packet for >each spoofed SYN instead of receiving N packets and sending none if they >don't send RST packets). Good point! But should we rely on the hosts sending RSTs? Many SYN floods intentionally use unregistered IPs, for just this reason: a RST never comes back. (But an ICMP "unreachable" message may, and this congests the victim even more.) >It's also a lot easier to spoof a TCP connection from a host that doesn't >send RST packets. Also true. All of this sounds like a good argument for the application of game theory to protocol design. :-S --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000121100135.01a55390>