Subject: Re: interrupt rate from a NIC
To: None <firstname.lastname@example.org>
From: Lucio De Re <email@example.com>
Date: 03/07/2003 10:22:23
On Fri, Mar 07, 2003 at 08:22:49AM +0000, Kamal R Prasad wrote:
> > Ary you looking at some real problem or just making up theories?
> Im looking at providing a fix for a DDoS wherein the attacker uses many
> machines to attack a system. note that an attack involves sending something
> like a flood of SYNs and not responding to the SYN ACK (maybe because the
> ip address is spoofed or it doesn't want to intentionally) thus eating up a
> lot of resources that go into setting up a connection on the target
> machine. even if the target machine sends in a request to slow down rate at
> which packets are being sent, the attacker will probably not pay heed to
> it. btw, many servers use gigE NICs nowadays.
You're ignoring the reality of frame collisions. There can only be so
many packets arriving at an interface, no matter how many senders. In
fact, collisions effectively reduce the bandwidth, thus the efficiency
of the attack diminishes with a greater number of attackers.
Flood PING could probably illustrate the problem. Mind you, I'm
making up theories now. :-) :-) :-)