< draft-ietf-tcpm-syn-flood-04.txt		draft-ietf-tcpm-syn-flood-05.txt >
	Network Working Group W. Eddy		Network Working Group W. Eddy
	Internet-Draft Verizon Federal Network Systems		Internet-Draft Verizon Federal Network Systems
	Intended status: Informational May 14, 2007		Intended status: Informational May 30, 2007
	Expires: November 15, 2007		Expires: December 1, 2007
	TCP SYN Flooding Attacks and Common Mitigations		TCP SYN Flooding Attacks and Common Mitigations
	draft-ietf-tcpm-syn-flood-04		draft-ietf-tcpm-syn-flood-05
	Status of this Memo		Status of this Memo
	By submitting this Internet-Draft, each author represents that any		By submitting this Internet-Draft, each author represents that any
	applicable patent or other IPR claims of which he or she is aware		applicable patent or other IPR claims of which he or she is aware
	have been or will be disclosed, and any of which he or she becomes		have been or will be disclosed, and any of which he or she becomes
	aware will be disclosed, in accordance with Section 6 of BCP 79.		aware will be disclosed, in accordance with Section 6 of BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF), its areas, and its working groups. Note that		Task Force (IETF), its areas, and its working groups. Note that
	skipping to change at page 1, line 34 ¶		skipping to change at page 1, line 34 ¶
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	The list of current Internet-Drafts can be accessed at		The list of current Internet-Drafts can be accessed at
	http://www.ietf.org/ietf/1id-abstracts.txt.		http://www.ietf.org/ietf/1id-abstracts.txt.
	The list of Internet-Draft Shadow Directories can be accessed at		The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.		http://www.ietf.org/shadow.html.
	This Internet-Draft will expire on November 15, 2007.		This Internet-Draft will expire on December 1, 2007.
	Copyright Notice		Copyright Notice
	Copyright (C) The IETF Trust (2007).		Copyright (C) The IETF Trust (2007).
	Abstract		Abstract
	This document describes TCP SYN flooding attacks, which have been		This document describes TCP SYN flooding attacks, which have been
	well-known to the community for several years. Various		well-known to the community for several years. Various
	countermeasures against these attacks, and the trade-offs of each,		countermeasures against these attacks, and the trade-offs of each,
	skipping to change at page 13, line 33 ¶		skipping to change at page 13, line 33 ¶
	enabled by default on systems that provide them. SYN caches do not		enabled by default on systems that provide them. SYN caches do not
	have the same negative implications and may be enabled as a default		have the same negative implications and may be enabled as a default
	mode of processing.		mode of processing.
	In October of 1996, Dave Borman implemented a SYN cache at BSDi for		In October of 1996, Dave Borman implemented a SYN cache at BSDi for
	BSD/OS, which was given to the community with no restrictions. This		BSD/OS, which was given to the community with no restrictions. This
	code seems to be the basis for the SYN cache implementations adopted		code seems to be the basis for the SYN cache implementations adopted
	later in other BSD variants. The cache was used when the backlog		later in other BSD variants. The cache was used when the backlog
	became full, rather than by default, as we have described. A note to		became full, rather than by default, as we have described. A note to
	the tcp-impl mailing list explains that this code does not retransmit		the tcp-impl mailing list explains that this code does not retransmit
	SYN-ACKs, which is a practice we discourage [B97].		SYN-ACKs [B97]. More recent implementations have chosen to reverse
			this decision and retransmit SYN-ACKs. It is known that loss of SYN-
			ACK packets is not uncommon [SD01] and can severely slow the
			performance of connections when initial retransmission timers for
			SYNs are overly conservative (as in some operating systems) or
			retransmitted SYNs are lost. Furthermore, if a SYN flooding attacker
			has a high sending rate, loss of retransmitted SYNs is likely, so if
			SYN-ACKs are not retransmitted, the chance of efficiently
			establishing legitimate connections is reduced.
	In 1997, NetBSD incorporated a modified version of Borman's code.		In 1997, NetBSD incorporated a modified version of Borman's code.
	Two notable differences from the original code stem from the decision		Two notable differences from the original code stem from the decision
	to use the cache by default (for all connections). This implied the		to use the cache by default (for all connections). This implied the
	need to perform retransmissions for SYN-ACKs, and to use larger		need to perform retransmissions for SYN-ACKs, and to use larger
	structures to keep more complete data. The original structure was 32		structures to keep more complete data. The original structure was 32
	bytes long for IPv4 connections and 56 bytes with IPv6 support, while		bytes long for IPv4 connections and 56 bytes with IPv6 support, while
	the current FreeBSD structure is 196 bytes long. As previously		the current FreeBSD structure is 196 bytes long. As previously
	cited, Lemon implemented the SYN cache and cookie techniques in		cited, Lemon implemented the SYN cache and cookie techniques in
	FreeBSD 4.4 [Lem02]. Lemon notes that a SYN cache structure took up		FreeBSD 4.4 [Lem02]. Lemon notes that a SYN cache structure took up
	skipping to change at page 17, line 11 ¶		skipping to change at page 17, line 11 ¶
	6. IANA Considerations		6. IANA Considerations
	This document does not update or create any IANA registries.		This document does not update or create any IANA registries.
	7. Acknowledgements		7. Acknowledgements
	A conversation with Ted Faber was the impetus for writing this		A conversation with Ted Faber was the impetus for writing this
	document. Comments and suggestions from Joe Touch, Dave Borman,		document. Comments and suggestions from Joe Touch, Dave Borman,
	Fernando Gont, Jean-Baptiste Marchand, Christian Huitema, Caitlin		Fernando Gont, Jean-Baptiste Marchand, Christian Huitema, Caitlin
	Bestler, Pekka Savola, Andre Oppermann, Alfred Hoenes, Mark Allman,		Bestler, Pekka Savola, Andre Oppermann, Alfred Hoenes, Mark Allman,
	Pasi Eronen, Warren Kumari, David Malone, and Ron Bonica were useful		Lars Eggert, Pasi Eronen, Warren Kumari, David Malone, Ron Bonica,
	in strengthening this document. The original work on TCP SYN cookies		and Lisa Dusseault were useful in strengthening this document. The
	presented in Appendix A is due to D.J. Bernstein.		original work on TCP SYN cookies presented in Appendix A is due to
			D.J. Bernstein.
	Work on this document was performed at NASA's Glenn Research Center.		Work on this document was performed at NASA's Glenn Research Center.
	Funding was partially provided by a combination of NASA's Advanced		Funding was partially provided by a combination of NASA's Advanced
	Communications, Navigation, and Surveillance Architectures and System		Communications, Navigation, and Surveillance Architectures and System
	Technologies (ACAST) project, the Sensis Corporation, NASA's Space		Technologies (ACAST) project, the Sensis Corporation, NASA's Space
	Communications Architecture Working Group, and NASA's Earth Science		Communications Architecture Working Group, and NASA's Earth Science
	Technology Office.		Technology Office.
	8. Informative References		8. Informative References
	skipping to change at page 19, line 30 ¶		skipping to change at page 19, line 30 ¶
	[RFC3013] Killalea, T., "Recommended Internet Service Provider		[RFC3013] Killalea, T., "Recommended Internet Service Provider
	Security Services and Procedures", BCP 46, RFC 3013,		Security Services and Procedures", BCP 46, RFC 3013,
	November 2000.		November 2000.
	[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed		[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
	Networks", BCP 84, RFC 3704, March 2004.		Networks", BCP 84, RFC 3704, March 2004.
	[RFC4413] West, M. and S. McCann, "TCP/IP Field Behavior", RFC 4413,		[RFC4413] West, M. and S. McCann, "TCP/IP Field Behavior", RFC 4413,
	March 2006.		March 2006.
			[SD01] Seddigh, N. and M. Devetsikiotis, "Studies of TCP's
			Retransmission Timeout Mechanism", Proceedings of the 2001
			IEEE International Conference on Communications (ICC
			2001), volume 6, pages 1834-1840, June 2001.
	[SKK+97] Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram,		[SKK+97] Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram,
	A., and D. Zamboni, "Analysis of a Denial of Service		A., and D. Zamboni, "Analysis of a Denial of Service
	Attack on TCP", Proceedings of the 1997 IEEE Symposium on		Attack on TCP", Proceedings of the 1997 IEEE Symposium on
	Security and Privacy 1997.		Security and Privacy 1997.
	[Ste95] Stevens, W. and G. Wright, "TCP/IP Illustrated, Volume 2:		[Ste95] Stevens, W. and G. Wright, "TCP/IP Illustrated, Volume 2:
	The Implementation", January 1995.		The Implementation", January 1995.
	[cr.yp.to]		[cr.yp.to]
	Bernstein, D., "URL: http://cr.yp.to/syncookies.html",		Bernstein, D., "URL: http://cr.yp.to/syncookies.html",
End of changes. 6 change blocks.
	8 lines changed or deleted		22 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/