New Denial of Service Attack on Panix

Michael Dillon writes:
> There are at least three things you can do to protect yourself from such
> attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> of incomplete socket connections.

Also, hashing the incoming PCBs is a big win.

Or not even creating PCBs and socket structures for the un-acknowledged
SYNs. Keep them in a data structure that stores the pertinent info and
reconstruct the packets when the ack comes in (when you create the mbufs/
PCB/socket).

That breaks TCP, and often badly. In fact, the problem isn't so bad
with a properly designed kernel. The initial experiments say that
increasing the size of the incoming connection queue, hashing the
queue, and adaptively lowering the timeout on infant connections
should permit you to survive pretty intense attack without stopping
service. This is probably the best approach for people to unilaterally
take.

Here here.

However, in general, it would be very nice for providers to start
filtering their customers so that they could not send forged packets
from network numbers they don't own.

Here here here.

Perry

Avi