SYN floods - possible solution? (fwd)
Steven L. Johnson
steve at barstool.com
Fri Sep 13 15:51:20 UTC 1996
Yes, using ICMP to try and do TCP SYN validation is bad. In addition to
case where a firewalled site blocks ICMP, consider the case where a
group of hosts will respond to pings but have (some/much) TCP traffic to
them filtered by a conventional firewall. These hosts can be used as
candidate source addresses for TCP SYN attack as they will respond to
the ICMP echo request but will not send a TCP RST to tear down the bogus
TCP connection.
Much better IMO to consider waiting for a TCP ACK response to TCP SYN
ACK for the requested TCP connection than to wait for ICMP echo response
at the firewall. As noted before this is a very simple transparent
proxy service that can be implemented at the packet level very similar
to that of a NAT box.
-Steve
>
> On Thu, 12 Sep 1996, Michael Dillon wrote:
>
> ==>Now here is something that could be used by sites to protect against
> ==>SYN flood attacke assuming that they can build a special custom box
> ==>with enough RAM to buffer the sockets for 30 seconds or more. How high
> ==>
> ==>From: "Roderick Murchison, Jr." <murchiso at vivid.newbridge.com>
> ==>
> ==>Ok. say you have a firewall between your network and you Internet
> ==>connection. If that firewall could detect and *detain* a segment with the
> ==>SYN option set, then see if the set source IP answers an ICMP echo
>
> This is bad. You should never depend upon remote hosts to give you ICMP
> responses to establish connections. This is because of several reasons:
>
> 1. What if a real remote site uses "established" connection firewalls
> and chooses to block ICMP? In that case, you've limited yourself
> vastly as to what can connect to you (there are a lot of sites which
> use cisco's "established" keyword to firewall and keep
> functionality).
>
> 2. When links become congested, ICMP packets are given a lower priority
> to make way for real data.
>
> /cah
>
> ----
> Craig A. Huegen CCIE #2100 || ||
> Network Analyst, IS-Network/Telecom || ||
> cisco Systems, Inc., 250 West Tasman Drive |||| ||||
> San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:..
> email: chuegen at cisco.com c i s c o S y s t e m s
>
More information about the NANOG
mailing list