New Denial of Service Attack ...

:----- Begin Included Message -----
:Subject: Re: FW: Latest attacks....
:date: Thu, 19 Sep 1996 08:39:02 +0100
:From: Jon Crowcroft <>
:date: Wed, 18 Sep 1996 14:32:14 -0600
:From: (Vernon Schryver)
:Subject: SYN bombing defense
:As reported here, in article <>
:in comp.protocols.tcp-ip, Robert Morris <> wrot
:>Perhaps TCP's listen queue should use random early drop (RED), a
:>technique used by routers to prevent any one source from monopolizing
:>a queue. See or
:> ...
:I've just hacked IRIX 6.3 to do random-drop when sonewconn() in
:tcp_input.c fails. It works great! An IP22 receiving 1200 bogus
:SYN's per second directed to port 23 continues to answer requests
:for new telnet as if nothing is happening.

Alan Cox just released a patch vs Linux 2.0.21 that does this. It works
quite well. As best I can tell from the patch and the mail that preceded
it it attempts to maintain about 30% free in the receive queue. I've
been running it for a couple of days and it does quite well defending
against these attacks. I've stuck it on my web page.


:Vernon Schryver,
:------- End of Forwarded Message
:----- End Included Message -----