[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ratelimiting/concurrency limits both inadequate to stop TCP/IP DoS

Subject: Re: ratelimiting/concurrency limits both inadequate to stop TCP/IP DoS
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
Date: Fri, 2 Mar 2001 04:24:05 +0100
Approved-By: beng@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010228010351.A10042@home.ds9a.nl>
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>

On Wed, 28 Feb 2001, bert hubert wrote:

> I'm not certain weather its best to group ip addresses by /16 or /24 - /24
> might consume too much memory, /16 might be too broad. Perhaps this should
> be a tunable parameter.

IMHO the best approach would be to group them automatically. The addresses
and netblocks form a tree. You start with all leaves representing recorded
groups being at the maximal level, i.e. exact IP addresses. Later,
whenever you spot a subtree growing larger than desired, i.e. having too
many nodes, you collapse the whole subtree into a single node, i.e. group
them into one large netblock, and keep them grouped until the "number of
their sins" drops below a reasonable limit.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Prev by Date: Microsoft Security Bulletin MS01-014
Next by Date: PHPNUKE4.4.1a Advisory
Prev by thread: Microsoft Security Bulletin MS01-014
Next by thread: PHPNUKE4.4.1a Advisory
Index(es):
- Date
- Thread