Edited: Jan 12,2001 at 16:23 (-0700 UTC) | . . . because sometimes it IS rocket science! |
Eliminate Denial of Service (DoS) Vulnerability Part III - Acknowledgement of Previous Work by Steve Gibson
|
Acknowledgement of previous work The Denial of Service resulting from a SYN flood with deliberately spoofed and changing source IPs is such a "low-tech" yet effective and anonymous assault that its mitigation and/or prevention has naturally received the attention of many talented and creative minds in the past. As part of the implementation of a custom designed TCP/IP protocol stack to support our new NanoProbe™ technology, I designed a simple, straightforward, and robust solution to protect the stack from spoofed-IP Denial of Service SYN flood attacks. Immediately after I posted the second part of this work to the web, several participants in the news groups at grc.com reported that similar work had been done before. I was unaware of previous work in this area, and consequently developed my solution independently and without the benefit of any previous work. However, since I have absolutely no intention or desire to assume credit for innovation which is not due, I feel it is important for previous work to be acknowledged and credited to its originators. Anyone able to provide additional specific information relating to similar techniques for managing Denial of Service attacks, is encouraged to send a note to me, care of my company, Gibson Research Corporation, at support@grc.com. I would very much appreciate having any specific details which may be available about any other solutions or systems that have been designed or created, and I will immediately incorporate a disclosure, analysis, and comparison of them here. |
Linux "SYN Cookies" After tracking down every one of the "this has all been done before" leads, I found that they all converged on one place: During September and October of 1996 two researchers, Dan Bernstein and Eric Schenk, proposed and worked out the specific implementation details for a system which is known today as "SYN Cookies". Shortly afterward, Eric added the SYN Cookie code to Linux where it survives, and can optionally be enabled, to this day. As you can see from Dan's page — which clearly describes the operation and formulation of their Cookies — the Berntstein/Schenk SYN Cookies are quite different and therefore have different characteristics from my "Encrypted Token" solution. However, both systems share the common concept which I called "deferred connection management", and both systems succeed in enforcing Client source IP authentication. Theirs is a great solution too, and I am glad to learn that, as a result of their work, Linux has acquired such robust Denial of Service protection, and moreover, that it has it built-in! It is a shame that this four-year-old technique has not become more prevalent or received more attention. It should. Please note also: Earlier versions of this page contained a
number of inaccurate conclusions based upon code contained within archived
discussion threads and anecdotal evidence. It was all I was able to find
at the time, but that information did not represent the current
implementation of Linux's SYN Cookies. In my surprise and haste to
determine what had been done before — and draw some conclusions and
comparisons — I was using obsolete information. After I found Dan's page,
and contacted him, he was able to separate the facts from the fiction. I
wish to apologize for any confusion I created from my own initial
confusion! All the best.
|
Purchasing Info | GRC Mail System | To GRC's Home | Tech Support | Discussions |