| Edited: Apr 21, 2006 at 16:56 | . . . because sometimes it IS rocket science! |
|
Eliminate Denial of Service (DoS) Vulnerability Part III - Acknowledgement of Previous Work by Steve Gibson
|
 Acknowledgement of previous work The Denial of Service resulting from a SYN flood with deliberately spoofed and changing source IPs is such a "low-tech" yet effective and anonymous assault that its mitigation and/or prevention has naturally received the attention of many talented and creative minds in the past. As part of the implementation of a custom designed TCP/IP protocol stack to support our new NanoProbe™ technology, I designed a simple, straightforward, and robust solution to protect the stack from spoofed-IP Denial of Service SYN flood attacks. Immediately after I posted the second part of this work to the web, several participants in the news groups at grc.com reported that similar work had been done before. I was unaware of previous work in this area, and consequently developed my solution independently and without the benefit of any previous work. However, since I have absolutely no intention or desire to assume credit for innovation which is not due, I feel it is important for previous work to be acknowledged and credited to its originators.
Anyone able to provide additional specific information relating to similar techniques for managing Denial of Service attacks, is encouraged to send a note to me, care of my company, Gibson Research Corporation, at |
|
Linux "SYN Cookies" After tracking down every one of the "this has all been done before" leads, I found that they all converged on one place: During September and October of 1996 two researchers, Dan Bernstein and Eric Schenk, proposed and worked out the specific implementation details for a system which is known today as "SYN Cookies". Shortly afterward, Eric added the SYN Cookie code to Linux where it survives, and can optionally be enabled, to this day. As you can see from Dan's page — which clearly describes the operation and formulation of their Cookies — the Berntstein/Schenk SYN Cookies are quite different and therefore have different characteristics from my "Encrypted Token" solution. However, both systems share the common concept which I called "deferred connection management", and both systems succeed in enforcing Client source IP authentication. Theirs is a great solution too, and I am glad to learn that, as a result of their work, Linux has acquired such robust Denial of Service protection, and moreover, that it has it built-in! It is a shame that this four-year-old technique has not become more prevalent or received more attention.
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2012 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Apr 21, 2006 at 16:56 (2,457.33 days ago) | Viewed 1 times per day |
![[Home]](/mb-home.gif){kind=small}
![[Products]](/mb-products.gif){kind=small}
![[Services]](/mb-services.gif){kind=small}
![[Freeware]](/mb-freeware.gif){kind=small}
![[Research]](/mb-research.gif){kind=small}
![[Other]](/mb-other.gif){kind=small}
. I would very much appreciate having any specific details which may be available about any other solutions or systems that have been designed or created, and I will immediately incorporate a disclosure, analysis, and comparison of them here.
