North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: New form of packet attack named Stream
- From: Damon M. Conway
- Date: Fri Jan 21 17:00:35 2000
Pat Myrto wrote:
>
>Alex P. Rudnev has declared that:
>>
>>
>> > > e-mail me asking for the code.
>> >
>> > Actually, you provided enough details, so any unix guy who knows
>> > his sockets can write the program in fifteen minutes.
>> >
>> > This type of attack was known for a long time (and there are even
>> > nastier variations using TCP header bits and fragments), and, unfortunately,
>> > there's no good defense against it.
>> There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers,
>> sockets, etc) catched by any SINGLE origin (IP address, program, service).
>>
>> Such approach broke just any except a few DoS attacks - for example, if you try
>> to exhaust memory attaking single service, then (1) service can't catch all
>> memory because it's the SINGLE origin, and (2) one SRC address can't catch many
>> resources because it's SINGLE origin, and (3) you can't generate too many
>> different addresses in case of reverse-filtering.
>
>Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc)
>to impose such limits (configurable by admin, preferably)? Especially
>in the CPU usage and memory areas (perhaps sockets/handles, too).
from freebsd-current yesterday:
Subject: half-fix for stream.c
http://www.freebsd.org/~alfred/tcp_fix.diff
damon
|
