New Denial of Service Attack on Panix

Vern Schriver at SGI has been running experiements and
the conclusions are pretty compelling.

Yes, I have been looking for 'another approach' other than random
drop, just as an alternative. But, since ICMP/IP seems to be
broken, using ICMP UNREACHABLE error messages does not work.

I agree that random drop is 'best current idea' (BCI :slight_smile:
However, I think it is prudent to look at other possible
approaches as well. This is what I have been doing in the lab;
looking to see if any other practical alternatives exist
at the kernel implementation of TCP/IP.

My efforts in the lab do not imply that random drop
is not a good idea. On the contrary, the
more I look for an alternative solution, the better
random drop appears.

However, it is interesting to see if another kernel
mod would work as well......... I do worry about
the limitation of the queue drop algorithm based
on queue size and delay.

FYI: I implemented 'someones' version of random drop
on my servers (using their patch) and the servers
all crashed (when the attack was fast and hard on
the same subnet). There is a lot of work to be