tag:blogger.com,1999:blog-37798047.post5608997710540234097..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Asynchronocity and Internet ScaleDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-37798047.post-34424623555616949862009-06-27T16:45:52.449-04:002009-06-27T16:45:52.449-04:00You are wrong about this part of your post:
"...You are wrong about this part of your post:<br /><br />"This code also uses the technique of being completely "stateless". One way to write this code would be for it to create a small connection record. However, since it is creating millions of connections, it would need a large table in memory to track what each connection is doing. Instead, it's much simpler. It will reply to a SYN-ACK packet regardless if it sent a matching SYN packet.<br /><br />That would be one (of many) easy ways to see if somebody is running this tool against you. Whenever you suspect somebody is DoSing you, send them a SYN-ACK packet out of the blue. If it's a normal, stateful system that tracks SYNs it sent, then the suspected attacker will respond with some sort of error. If it is stateless, Internet scale attacker, they will respond with a data packet. "<br /><br />Nkiller2 uses the technique of client syn-cookies to keep track of the SYNs it sends without any additional memory overhead. Essentially, it encodes the quadruple { src port, src IP address, dst port, dst IP address } along with a secret key into the TCP sequence field and upon receiving a SYN-ACK it can deduce whether or not this belonged to a SYN it previously sent by subtracting 1 from the TCP ACK field, and checking the number against the current packet's reencoded quadruple. The encoding is done using the sha1 hash algorithm. Thus, you cannot detect the use of this tool by the technique you mentioned: sending back a bogus SYN-ACK, because Nkiller2 will just ignore it. You can try it yourself using hping2 or some similar tool. <br />There are might be other ways to detect Nkiller2 however and the most obvious one is checking whether your service is down :)<br /><br />-- ithilgore (author of Nkiller2)ithilgorehttp://sock-raw.orgnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-8882267387375329522009-06-15T13:23:01.224-04:002009-06-15T13:23:01.224-04:00Enough already about how great BlackICE/Proventia ...Enough already about how great BlackICE/Proventia is!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-60393714236750790362009-06-13T21:41:58.860-04:002009-06-13T21:41:58.860-04:00http://tinyclouds.org/nodehttp://tinyclouds.org/nodeAnonymoushttps://www.blogger.com/profile/14018426199584597135noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-35002419056330477052009-06-13T03:10:05.583-04:002009-06-13T03:10:05.583-04:00Synchronous communication *can* scale to internet ...Synchronous communication *can* scale to internet size. See mailinator as an example.<br /><br />http://mailinator.blogspot.com/2008/02/kill-myth-please-nio-is-not-faster-than.html<br /><br />http://mailinator.blogspot.com/2008/08/benchmarking-talkinator.html<br /><br />"Seriously, if you still believe asynchrounous/NIO beats synchronous/IO (and it did when linux threads killed the system after just a few hundred were started) you might want to do some research. Threaded socket programming is back.. and with a vengeance."<br /><br />Also, I think that people like synchronous IO programming more than async, possibly because it's more 'procedural'... Things happen in the textual order you write them. That's something that's worth trading for a little performance, if need be.<br /><br />Async IO handling spreads the state machine all over the place, and I've seen numerous security bugs that have come simply from that. It's easier to see and verify the logic and steps in linear synchronous programming.<br /><br />Finally, really what's needed is an async IO library that *looks* synchronous. Write your code in the linear synchronous style, and let the library take care of insync/async performance tradeoffs. Of course for that, you need a language with support for continuations.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80958509358758122632009-06-12T18:45:57.145-04:002009-06-12T18:45:57.145-04:00Good post Rob, as usual.
One correction, though. ...Good post Rob, as usual.<br /><br />One correction, though. Class A networks contain ~16.8 million IPs (2^24), not 24 million. A Class A does, however, have 24 <b>bits</b> of IP space.c0uchw4rriornoreply@blogger.com