[4245] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Jacques Gelinas)
Sat Aug 31 01:14:54 1996
Date: Fri, 30 Aug 1996 23:03:38 -0400 (EDT)
From: Jacques Gelinas <jack@solucorp.qc.ca>
To: Henry W Miller <mill0440@gold.tc.umn.edu>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.960830200116.8456A-100000@gold.tc.umn.edu>
On Fri, 30 Aug 1996, Henry W Miller wrote:
> In the end this can only be addressed at the ISP end, if ever ISP would
> keep track its users' valid ip addresses and filter sources that didn't
> fit there... but this is unlikely to happen.
This will happen if this is easy and fool proof. My understanding is that
you can do this filtering now using the IP firewall of linux (and
other). One thing you can do with the IP firewall is create problems :-)
Given that most ISP generally want things to work (and have a hard time
achieving this and keep the pace), playing with firewalls and make a
mistake is something they don't want.
One thing that may help a lot is a mecanism in the kernel which (beside
slowing down the thing) try to find a route for the source IP number for
every packet getting in. For sure, in this case, the default route would
not be used.
This kind of "check box" feature would be much more sellable to ISP than
ask them to synchronise the firewalling rule with the routing.
Maybe such a thing exist in routers already.
--------------------------------------------------------
Jacques Gelinas (jacques@solucorp.qc.ca)
Linuxconf: The ultimate administration system for Linux.
see http://www.solucorp.qc.ca:/linuxconf
