|
BSDCon 2002 Paper   
[BSDCon '02 Tech Program Index]
Next: Introduction
Resisting SYN flood DoS attacks with a SYN cacheJonathan Lemon jlemon@FreeBSD.org
Abstract:
Machines that provide TCP services are often susceptible to various
types of Denial of Service attacks from external hosts on the network.
One particular type of attack is known as a SYN flood, where external
hosts attempt to overwhelm the server machine by sending a constant stream
of TCP connection requests, forcing the server to allocate resources
for each new connection until all resources are exhausted. This paper
discusses several approaches for dealing with the exhaustion problem,
including SYN caches and SYN cookies. The advantages and drawbacks of
each approach are presented, and the implementation of the specific
solution used in FreeBSD is analyzed.
Jonathan Lemon 2001-12-04 |
This paper was originally published in the
Proceedings of the BSDCon '02 Conference on File and Storage Technologies, February 11-14, 2002, Cathedral Hill Hotel, San Francisco, California, USA.
Last changed: 28 Dec. 2001 ml |
|