draft-ietf-tcpm-syn-flood-04.txt   draft-ietf-tcpm-syn-flood-05.txt 
Network Working Group W. Eddy Network Working Group W. Eddy
Internet-Draft Verizon Federal Network Systems Internet-Draft Verizon Federal Network Systems
Intended status: Informational May 14, 2007 Intended status: Informational May 30, 2007
Expires: November 15, 2007 Expires: December 1, 2007
TCP SYN Flooding Attacks and Common Mitigations TCP SYN Flooding Attacks and Common Mitigations
draft-ietf-tcpm-syn-flood-04 draft-ietf-tcpm-syn-flood-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 15, 2007. This Internet-Draft will expire on December 1, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document describes TCP SYN flooding attacks, which have been This document describes TCP SYN flooding attacks, which have been
well-known to the community for several years. Various well-known to the community for several years. Various
countermeasures against these attacks, and the trade-offs of each, countermeasures against these attacks, and the trade-offs of each,
skipping to change at page 13, line 33 skipping to change at page 13, line 33
enabled by default on systems that provide them. SYN caches do not enabled by default on systems that provide them. SYN caches do not
have the same negative implications and may be enabled as a default have the same negative implications and may be enabled as a default
mode of processing. mode of processing.
In October of 1996, Dave Borman implemented a SYN cache at BSDi for In October of 1996, Dave Borman implemented a SYN cache at BSDi for
BSD/OS, which was given to the community with no restrictions. This BSD/OS, which was given to the community with no restrictions. This
code seems to be the basis for the SYN cache implementations adopted code seems to be the basis for the SYN cache implementations adopted
later in other BSD variants. The cache was used when the backlog later in other BSD variants. The cache was used when the backlog
became full, rather than by default, as we have described. A note to became full, rather than by default, as we have described. A note to
the tcp-impl mailing list explains that this code does not retransmit the tcp-impl mailing list explains that this code does not retransmit
SYN-ACKs, which is a practice we discourage [B97]. SYN-ACKs [B97]. More recent implementations have chosen to reverse
this decision and retransmit SYN-ACKs. It is known that loss of SYN-
ACK packets is not uncommon [SD01] and can severely slow the
performance of connections when initial retransmission timers for
SYNs are overly conservative (as in some operating systems) or
retransmitted SYNs are lost. Furthermore, if a SYN flooding attacker
has a high sending rate, loss of retransmitted SYNs is likely, so if
SYN-ACKs are not retransmitted, the chance of efficiently
establishing legitimate connections is reduced.
In 1997, NetBSD incorporated a modified version of Borman's code. In 1997, NetBSD incorporated a modified version of Borman's code.
Two notable differences from the original code stem from the decision Two notable differences from the original code stem from the decision
to use the cache by default (for all connections). This implied the to use the cache by default (for all connections). This implied the
need to perform retransmissions for SYN-ACKs, and to use larger need to perform retransmissions for SYN-ACKs, and to use larger
structures to keep more complete data. The original structure was 32 structures to keep more complete data. The original structure was 32
bytes long for IPv4 connections and 56 bytes with IPv6 support, while bytes long for IPv4 connections and 56 bytes with IPv6 support, while
the current FreeBSD structure is 196 bytes long. As previously the current FreeBSD structure is 196 bytes long. As previously
cited, Lemon implemented the SYN cache and cookie techniques in cited, Lemon implemented the SYN cache and cookie techniques in
FreeBSD 4.4 [Lem02]. Lemon notes that a SYN cache structure took up FreeBSD 4.4 [Lem02]. Lemon notes that a SYN cache structure took up
skipping to change at page 17, line 11 skipping to change at page 17, line 11
6. IANA Considerations 6. IANA Considerations
This document does not update or create any IANA registries. This document does not update or create any IANA registries.
7. Acknowledgements 7. Acknowledgements
A conversation with Ted Faber was the impetus for writing this A conversation with Ted Faber was the impetus for writing this
document. Comments and suggestions from Joe Touch, Dave Borman, document. Comments and suggestions from Joe Touch, Dave Borman,
Fernando Gont, Jean-Baptiste Marchand, Christian Huitema, Caitlin Fernando Gont, Jean-Baptiste Marchand, Christian Huitema, Caitlin
Bestler, Pekka Savola, Andre Oppermann, Alfred Hoenes, Mark Allman, Bestler, Pekka Savola, Andre Oppermann, Alfred Hoenes, Mark Allman,
Pasi Eronen, Warren Kumari, David Malone, and Ron Bonica were useful Lars Eggert, Pasi Eronen, Warren Kumari, David Malone, Ron Bonica,
in strengthening this document. The original work on TCP SYN cookies and Lisa Dusseault were useful in strengthening this document. The
presented in Appendix A is due to D.J. Bernstein. original work on TCP SYN cookies presented in Appendix A is due to
D.J. Bernstein.
Work on this document was performed at NASA's Glenn Research Center. Work on this document was performed at NASA's Glenn Research Center.
Funding was partially provided by a combination of NASA's Advanced Funding was partially provided by a combination of NASA's Advanced
Communications, Navigation, and Surveillance Architectures and System Communications, Navigation, and Surveillance Architectures and System
Technologies (ACAST) project, the Sensis Corporation, NASA's Space Technologies (ACAST) project, the Sensis Corporation, NASA's Space
Communications Architecture Working Group, and NASA's Earth Science Communications Architecture Working Group, and NASA's Earth Science
Technology Office. Technology Office.
8. Informative References 8. Informative References
skipping to change at page 19, line 30 skipping to change at page 19, line 30
[RFC3013] Killalea, T., "Recommended Internet Service Provider [RFC3013] Killalea, T., "Recommended Internet Service Provider
Security Services and Procedures", BCP 46, RFC 3013, Security Services and Procedures", BCP 46, RFC 3013,
November 2000. November 2000.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004. Networks", BCP 84, RFC 3704, March 2004.
[RFC4413] West, M. and S. McCann, "TCP/IP Field Behavior", RFC 4413, [RFC4413] West, M. and S. McCann, "TCP/IP Field Behavior", RFC 4413,
March 2006. March 2006.
[SD01] Seddigh, N. and M. Devetsikiotis, "Studies of TCP's
Retransmission Timeout Mechanism", Proceedings of the 2001
IEEE International Conference on Communications (ICC
2001), volume 6, pages 1834-1840, June 2001.
[SKK+97] Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram, [SKK+97] Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram,
A., and D. Zamboni, "Analysis of a Denial of Service A., and D. Zamboni, "Analysis of a Denial of Service
Attack on TCP", Proceedings of the 1997 IEEE Symposium on Attack on TCP", Proceedings of the 1997 IEEE Symposium on
Security and Privacy 1997. Security and Privacy 1997.
[Ste95] Stevens, W. and G. Wright, "TCP/IP Illustrated, Volume 2: [Ste95] Stevens, W. and G. Wright, "TCP/IP Illustrated, Volume 2:
The Implementation", January 1995. The Implementation", January 1995.
[cr.yp.to] [cr.yp.to]
Bernstein, D., "URL: http://cr.yp.to/syncookies.html", Bernstein, D., "URL: http://cr.yp.to/syncookies.html",
 End of changes. 6 change blocks. 
8 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/