1995-10-25 - Re: Does your software?

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: ses@tipper.oit.unc.edu (Simon Spero)
Message Hash: 431e0e28fbd60e7ffa028c562b0fbad5ff077b5ba06720c25a6c8e688a082057
Message ID: <9510251049.AA20105@all.net>
Reply To: <Pine.SOL.3.91.951024210756.18616A-100000@chivalry>
UTC Datetime: 1995-10-25 10:52:48 UTC
Raw Date: Wed, 25 Oct 95 03:52:48 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Wed, 25 Oct 95 03:52:48 PDT
To: ses@tipper.oit.unc.edu (Simon Spero)
Subject: Re: Does your software?
In-Reply-To: <Pine.SOL.3.91.951024210756.18616A-100000@chivalry>
Message-ID: <9510251049.AA20105@all.net>
MIME-Version: 1.0
Content-Type: text


> 
> On Tue, 24 Oct 1995, Jon Mittelhauser wrote:
> 
> > Dr. Frederick B. Cohen wrote:
> > 
> > > Yet it services more than one request per minute, 24 hours, 7 days, and
> > > has done so without denial of services, corruption, or leakage since its
> 
> > I really tried to resist but....
> > 
> 
> Thanks for saving me from the temptation but I guessed you were so taken 
> aback by the performance claims that you missed the most amazing claim: 
> an httpd that is proof against Denial Of Service. I'd love to know how 
> Dr. Fred does this, since DoS is believed impossibly to defend against 
> for unauthenticated TCP...

It's detailed to some extent in the on-line paper about the server.

> The usual DoS attack is to send a stream of connection-initiating SYNs to 
> the target port, and never ACK the returned SYN. This fills up the listen 
> queue, and jams the port. As long as you can generate SYNs faster than 
> the TCP implementation times out the older pending requests, the port is 
> jammed (modulo a small window of, er, invunerability between one of your 
> SYNs timing out and its replacement turning up).

Right - that's why you have to have timeouts.  Unfortunately, I only
prevent denial of services attacks once things hit the server.  I think
the TCP wrapper also has a timeout on it's request for authentication. 
As I said, the system is not made less secure by the server.  It's very
common for other http servers to start a process, lose the link to the
calling host, and leave processes hung out to dry.  Even without an
intentional attack, servers end up with hundreds of processes hanging
around after a few weeks of uptime.  If you get 1024 hung channels, you
have denial of services on most http implementations.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread