SYN floods - possible solution? (fwd)

• Previous message (by thread): SYN floods - possible solution? (fwd)
• Next message (by thread): SYN floods - possible solution? (fwd)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Sep 1996, Michael Dillon wrote:

==>Now here is something that could be used by sites to protect against
==>SYN flood attacke assuming that they can build a special custom box
==>with enough RAM to buffer the sockets for 30 seconds or more. How high
==>
==>From: "Roderick Murchison, Jr." <murchiso at vivid.newbridge.com>
==>
==>Ok.  say you have a firewall between your network and you Internet
==>connection.  If that firewall could detect and *detain* a segment with the
==>SYN option set, then see if the set source IP answers an ICMP echo

This is bad.  You should never depend upon remote hosts to give you ICMP
responses to establish connections.  This is because of several reasons:

1.  What if a real remote site uses "established" connection firewalls
    and chooses to block ICMP?  In that case, you've limited yourself
    vastly as to what can connect to you (there are a lot of sites which
    use cisco's "established" keyword to firewall and keep
    functionality).

2.  When links become congested, ICMP packets are given a lower priority
    to make way for real data.

/cah

----
Craig A. Huegen  CCIE #2100                       ||        ||
Network Analyst, IS-Network/Telecom               ||        ||
cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
email: chuegen at cisco.com                    c i s c o  S y s t e m s

• Previous message (by thread): SYN floods - possible solution? (fwd)
• Next message (by thread): SYN floods - possible solution? (fwd)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]