SYN floods (was: does history repeat itself?)
Mr. Jeremy Hall
jhall at rex.isdn.net
Sat Sep 14 03:46:46 UTC 1996
-->
-->> circuit, so thats not too bad a problem there.
-->>
-->> > At the single homed connection a router option to reverse the sense of
-->> > the forwarding table on a specific interface (look up the source in
-->> > the forwarding table and only accept if the source is reachable
-->> > through that next hop) seems to be a effective preventative that could
-->> > be easily just "switched on".
-->>
-->> A very good idea.
-->If CISCO'll hear it -:)!
-->
-->
-->
-->>
-->> Perry
-->>
That sounded like a good idea until I considered asymetric routing. You
are assuming the router always knows how to get back to its source, but
on the contrary, this router may not know how to get back to the source.
If you're routing traffic inbound to your organization one way and
outbound traffic goes another, then this option might unnecessarily block
traffic. Consider also what this would do during an unstable situation.
Traffic is already slow enough when a router is unstable because it may
not know how to get to the destination, but if you throw in the
requirement that it has to know how to get to the source as well, didn't
you just help the hacker by shutting down service for lots of people?
--
-------------------------------------------
| Jeremy Hall Network Engineer |
| ISDN-Net, Inc Office +1-615-371-1625 |
| Nashville, TN and the southeast USA |
| jhall at isdn.net Pager +1-615-702-0750 |
-------------------------------------------
More information about the NANOG
mailing list