New Denial of Service Attack ...

Ok, I'm confused. Quoting from Vernon's message:

Date: Wed, 18 Sep 1996 14:32:14 -0600
From: (Vernon Schryver)
Subject: SYN bombing defense

I've just hacked IRIX 6.3 to do random-drop when sonewconn() in
tcp_input.c fails. It works great! An IP22 receiving 1200 bogus
SYN's per second directed to port 23 continues to answer requests
for new telnet as if nothing is happening.
As I figure it, as long as the length of the queue is longer than RTT
of the real telnet client times the rate of bogus SYNs, the real
clients have an excellent probability of getting through on their
first attempt. For example, at 1200 bogus SYNs/sec and the IRIX 6.3
telnet listen queue of 383, there should be no trouble with peers
with RTT up to about 300 milliseconds. I've tested with a telnet
client 250 milliseconds away while simultaneously bombing the machine
from nearby with ~1200 SYNs/sec, and see no telnet TCP retransmissions.

Because the queue is always full, you must have been doing 1200 random-
drops per second, also. A telnet client 250ms away is therefore on
average exposed to 300 random-drops, each of which has a chance of 1/383
of killing it. Its probability of survival is (1-1/383)^300, or .456,
not so good. It would be different if it were oldest-drop, but random-
drop is what's stated.

Lacking evidence, I won't argue with the experimental finding that the
problem goes away - but if so, what's wrong with my computation?

Barney Wolff <>