Đang chuẩn bị liên kết để tải về tài liệu:
Firewalls and Internet Security, Second Edition phần 4

chúng ta có thể cài đặt một đường ống lớn hơn. Một CPU nhanh hơn với nhiều bộ nhớ hơn có thể được có thể xử lý chế biến. Trong cuộc tấn công Panix, một đề xuất tiên tiến để thay đổi giao thức TCP để yêu cầu nhà nước ít hơn cho một kết nối half-open, hoặc làm việc khác nhau trong các quy tắc hiện tại của TCP. | 116 Classes of Attacks Increase the Capacity of the Target This is probably the most effective remedy for denial-of-service attacks. It can also be the most expensive. If they are flooding our network we can install a bigger pipe. A faster CPU with more memory may be able to handle the processing. In the Panix attack a proposal was advanced to change the TCP protocol to require less state for a half-open connection or to work differently within the current TCP rules. It s usually hard to increase the capacity of a network link quickly and expensive as well. It is also disheartening to have to spend that kind of money simply to deal with an attack. It may be easiest to improve the server s capacity. Commercial operating systems and network server software vary considerably in their efficiency. A smarter software choice may help. We don t advocate particular vendors but would like to note that the implementations with longer histories tend to be more robust and efficient. They represent the accumulation of more experience. But the problem won t go away. Some day in the future after all the network links are en-crypted all the keys are distributed all the servers are bug-free all the hosts are secure and all the users properly authenticated denial-of-service attacks will still be possible. Well-prepared dissidents will orchestrate well-publicized attacks on popular targets like governments major companies and unpopular individuals. We expect these attacks to be a fact of life on the Internet. 5.8.5 Backscatter An IP packet has to have a source address the field is not optional. DOS attackers don t wish to use their own address or a stereotyped address because it may reveal the source of the attack or at least make the attack packets easy to identify and filter out. Often they use random return addresses. This makes it easier to measure the attack rate for the Internet as a whole. When a host is attacked with DOS packets it does manage to handle some of the load. It .