Date: Fri, 22 Dec 2000 13:24:44 +1100 (CST)
From: Mike OConnor <kernel@pineview.net>
I would like to point who ever is in charge of the TCP stack for
the linux kernel at a site which claims to have a method of
eliminate denial of service (DoS) attacks
http://grc.com/r&d/nomoredos.htm
With my limited unstanding of TCP and DoS attacks this would seem
to be the answer, instead of a work around.
These people claim that no connection state needs to be saved for the
beginning of the negotiation, and I claim this is unworkable because
it ignores TCP timestamps entirely.
Furthermore, it also cannot work because it makes retransmissions
of the SYN/ACK very non-workable. I suppose his TCP stack just hacks
around this by just waiting for the original client SYN to get
retransmitted or something like this. I question whether that can
even work reliably.
I think not holding onto any state for an incoming SYN is nothing but
a dream in any serious modern TCP implementation. It can be reduced,
but not eliminated. The former is what most modern stacks have done
to fight these problems.
Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:30 EST