North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: TCP SYN attacks
- From: Avi Freedman
- Date: Thu Oct 03 21:04:41 1996
> I agree.
>
> It seems to me that placing this processing in the firewall is
> *potentially* dangerous, as now a SYN-flooding attack (*IF*
> *successful*) will deny service to everything behind the firewall,
> instead of just the targeted host.
>
> If I know I can fire-hose your firewall, and take your *site* off the
> net, then it might become more attractive to me to "find" sufficient
> CPU and bandwidth resources to generate enough packets to take you
> out. This could "raise the stakes" enough to make it worth it to an
> attacker.
If someone can hose a firewall with an adaptive SYN timeout and
a 100,000 or more-entry state storage structure for pending SYNs
(not that any particular implementation does this that I know of
or don't know of) then I *WANT* them to attack me.
Something that un-subtle should be eeasy to track back to the source.
> Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center
> http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000
> "Ille Albus Canne Vinco Homines" - You Know Who
Avi
- - - - - - - - - - - - - - - - -
|
