linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "David S. Miller" <davem@redhat.com>
To: kernel@pineview.net
Cc: linux-kernel@vger.kernel.org
Subject: Re: No more DoS
Date: Thu, 21 Dec 2000 18:00:15 -0800	[thread overview]
Message-ID: <200012220200.SAA05057@pizda.ninka.net> (raw)
In-Reply-To: <977453684.3a42c2744fbb7@ppro.pineview.net> (message from Mike OConnor on Fri, 22 Dec 2000 13:24:44 +1100 (CST))
In-Reply-To: <977453684.3a42c2744fbb7@ppro.pineview.net>

   Date: 	Fri, 22 Dec 2000 13:24:44 +1100 (CST)
   From: Mike OConnor <kernel@pineview.net>

   I would like to point who ever is in charge of the TCP stack for
   the linux kernel at a site which claims to have a method of
   eliminate denial of service (DoS) attacks

   http://grc.com/r&d/nomoredos.htm

   With my limited unstanding of TCP and DoS attacks this would seem
   to be the answer, instead of a work around.

These people claim that no connection state needs to be saved for the
beginning of the negotiation, and I claim this is unworkable because
it ignores TCP timestamps entirely.

Furthermore, it also cannot work because it makes retransmissions
of the SYN/ACK very non-workable.  I suppose his TCP stack just hacks
around this by just waiting for the original client SYN to get
retransmitted or something like this.  I question whether that can
even work reliably.

I think not holding onto any state for an incoming SYN is nothing but
a dream in any serious modern TCP implementation.  It can be reduced,
but not eliminated.  The former is what most modern stacks have done
to fight these problems.

Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

  reply	other threads:[~2000-12-22  2:47 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2000-12-22  2:24 No more DoS Mike OConnor
2000-12-22  2:00 ` David S. Miller [this message]
2000-12-22  4:20   ` Michael Peddemors
2000-12-22  4:53   ` David S. Miller
2000-12-22  2:36 ` Tom Vier
2000-12-22  4:09 ` Michael Peddemors
2000-12-22  4:55 ` Michael H. Warfield
2000-12-22 18:21 ` kuznet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200012220200.SAA05057@pizda.ninka.net \
    --to=davem@redhat.com \
    --cc=kernel@pineview.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).