[4250] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Gustav Bjoerkman)
Sat Aug 31 09:56:15 1996
Date: Sat, 31 Aug 1996 13:48:38 +0200 (MET DST)
From: Gustav Bjoerkman <gnork@beyond.malmo.lth.se>
To: Jacques Gelinas <jack@solucorp.qc.ca>
cc: Henry W Miller <mill0440@gold.tc.umn.edu>, linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.960830225857.6750X-100000@486dos.solucorp.qc.ca>
bcuc4B$~4K_[]Zee\pz
q`Eb( ]JU;"ro1]VH1bPiLW2
On Fri, 30 Aug 1996, Jacques Gelinas wrote:
> On Fri, 30 Aug 1996, Henry W Miller wrote:
>
> > In the end this can only be addressed at the ISP end, if ever ISP would
> > keep track its users' valid ip addresses and filter sources that didn't
> > fit there... but this is unlikely to happen.
>
> This will happen if this is easy and fool proof. My understanding is that
y][Zc^[kc> you can do this filtering now using the IP firewall of linux
(and
> other). One thing you can do with the IP firewall is create problems :-)
>
> Given that most ISP generally want things to work (and have a hard time
> achieving this and keep the pace), playing with firewalls and make a
> mistake is something they don't want.
>
> One thing that may help a lot is a mecanism in the kernel which (beside
> slowing down the thing) try to find a route for the source IP number for
> every packet getting in. For sure, in this case, the default route would
> not be used.
>
> This kind of "check box" feature would be much more sellable to ISP than
> ask them to synchronise the firewalling rule with the routing.
>
> Maybe such a thing exist in routers already.
>
> --------------------------------------------------------
> Jacques Gelinas (jacques@solucorp.qc.ca)
> Linuxconf: The ultimate administration system for Linux.
> see http://www.solucorp.qc.ca:/linuxconf
>
>
>
