Re: client puzzle protocol

["Ge' Weijers" <ge () progressive-systems com>]

On Fri, Feb 18, 2000 at 03:10:18PM -0500, Paul Cardon wrote:
> There are strategies for managing this buffer that make it more
> resistant to attack.  Simply increasing the buffer size and decreasing
> the timeout value are not sufficient.  I don't have the exact page
> number, but see the section of Unix Network Programming Volume 1 (Second
> Edition) that describes the backlog parameter of listen().  There are
> references to two strategies for making the stack more resistant to SYN
> Floods.  On the face of it I don't see how RSA's strategy improves
> anything but I also have yet to read the entire thing.

A strategy design by Dan Bernstein called SYN cookies
(ftp://koobera.math.uic.edu/pub/docs/syncookies-archive) prevents the
buffer from overflowing on a machine under attack. The basic idea is
to encode some connection parameters in the initial sequence number
that is sent back in the SYN-ACK TCP packet and then forget about the
connection altogether. If a reply to this packet ever comes back you
complete the connection attempt.

This mechanism is available on Linux and some BSD variants.

The client-puzzle protocol does not seem such a great idea to me. A
_distributed_ DOS attack will have lots of CPU power to do the
puzzles.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220