On Tue, Sep 21, 2004 at 08:15:25PM +0200, Andi Kleen wrote:
> On Tue, Sep 21, 2004 at 11:58:27AM -0600, Tim Gardner wrote:
> > On Tue, 2004-09-21 at 11:31, Andi Kleen wrote:
> > > But also allows an easy DOS. Someone just has to spoof a lot of
> > > connections
> > > attempts with the source address of your primary name server or
> > > some other important service.
> > >
> > That is what other iptables rules and filters are for. I get thousands
> > of source address spoofs from my Internet connection every day. Network
> > security is a layered approach.
> I don't think you can eliminate the problem with more filters.
I agree with Andi, and I think we're just being lazy if we say 'well,
the neighbour cache has this problem, but the solution has to be
manually implemented by the administrator'.
Also, we cannot put complex heuristics code in place, unless we can
prove that it again doesn't provide new possibilitis for DoS.
My personal (simplistic) favourite is still a simple threshold (absolute
value / percentage) for incomplete neighbour entries. This way we make
sure that we cannot starve 'real' (fully resolved) entries at the cost
of incomplete ones.
- Harald Welte <laforge@xxxxxxxxxxxx> http://www.gnumonks.org/
Programming is like sex: One mistake and you have to support it your lifetime
Description: Digital signature