[4248] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Martin Mares)
Sat Aug 31 06:31:08 1996
From: Martin Mares <mj@k332.feld.cvut.cz>
To: jack@solucorp.qc.ca (Jacques Gelinas)
Date: Sat, 31 Aug 1996 10:53:48 +0200 (MET DST)
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.960830225857.6750X-100000@486dos.solucorp.qc.ca> from "Jacques Gelinas" at Aug 30, 96 11:03:38 pm
Hello,
> This will happen if this is easy and fool proof. My understanding is that
> you can do this filtering now using the IP firewall of linux (and
> other). One thing you can do with the IP firewall is create problems :-)
>
> Given that most ISP generally want things to work (and have a hard time
> achieving this and keep the pace), playing with firewalls and make a
> mistake is something they don't want.
A complete firewall is not a problem on a box which does only static
routing. On routers with more complex routing, you can at least simply
configure a global firewall allowing only packets with source address
from your address space to be sent out.
> One thing that may help a lot is a mecanism in the kernel which (beside
> slowing down the thing) try to find a route for the source IP number for
> every packet getting in. For sure, in this case, the default route would
> not be used.
It also might help if your routing is symmetric.
Martin
