New Denial of Service Attack on Panix

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

But of course. The problem is that SYN_RCVD is a transient state in the
TCP automaton, and it requires some resources allocation. The life
might have been a little bit different if servers weren't forced
to track this state. Something like a signed ticket accompanying the
second SYN and the following ACK.


Dima

Paul Ferguson writes:
> 
> I agree completely, but neither one is a panacea.
> 
> - paul
> 
> At 08:40 AM 10/3/96 -0400, Dima Volodin wrote:
> 
> >And if everyone doesn't make any attacks we won't have any problems
> >either. To rephrase - relying on ingress filtering is putting your
> >security in someone other's hands, doing host-based stuff is protecting
> >yourself with your own hands. To rephrase once again - doing ingress
> >filtering is "being conservative with what you produce", being able to
> >cope with SYN floods on the host level is "being liberal on what you
> >accept." We need both, and overemphasising one side of the solution will
> >do a lot of harm.
> >
> >
> >Dima
> >
> 
> 
> 

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]