On Thu, 12 Sep 1996, John Young wrote:
WSJ and WaPo have reports on Panix-jamming by info-request bombardment, and Bell Labs security expert Bill Cheswick's attempt to solve it.
This particular attack has been known for some time; kind of suprising it hasn't been used before. It is defensible, but it can take a lot of memory to give full protection. The best way IPV4 way I know of to stop the listen queue being filled is to use a special structure to hold half-open incoming connections, and not allocate the full TCB until the ack of the syn-ack comes in; that way, the listen queue can be made large enough to keep enouygh connections to cover the number of SYNS recievable before the half-open connection times out This ensures that there's at least a traceable return address for the connection. Sort of like photuris cookies but without the forced RTT delay (The timeout was added to most stacks in 94 after backbone fuckups caused queues to wedge on most of the big web servers with all sorts of asymetric routing problems. It's not strictly legal TCP) ---- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet.........