[4349] in North American Network Operators' Group
Re: SYN floods - possible solution? (fwd)
daemon@ATHENA.MIT.EDU (Craig A. Huegen)
Fri Sep 13 10:41:57 1996
Date: Fri, 13 Sep 1996 07:40:07 -0700 (PDT)
From: "Craig A. Huegen" <c-huegen@quad.quadrunner.com>
To: Michael Dillon <michael@memra.com>
cc: nanog@merit.edu
In-Reply-To: <Pine.BSI.3.93.960912232929.11005F-100000@sidhe.memra.com>
On Thu, 12 Sep 1996, Michael Dillon wrote:
==>Now here is something that could be used by sites to protect against
==>SYN flood attacke assuming that they can build a special custom box
==>with enough RAM to buffer the sockets for 30 seconds or more. How high
==>
==>From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
==>
==>Ok. say you have a firewall between your network and you Internet
==>connection. If that firewall could detect and *detain* a segment with the
==>SYN option set, then see if the set source IP answers an ICMP echo
This is bad. You should never depend upon remote hosts to give you ICMP
responses to establish connections. This is because of several reasons:
1. What if a real remote site uses "established" connection firewalls
and chooses to block ICMP? In that case, you've limited yourself
vastly as to what can connect to you (there are a lot of sites which
use cisco's "established" keyword to firewall and keep
functionality).
2. When links become congested, ICMP packets are given a lower priority
to make way for real data.
/cah
----
Craig A. Huegen CCIE #2100 || ||
Network Analyst, IS-Network/Telecom || ||
cisco Systems, Inc., 250 West Tasman Drive |||| ||||
San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:..
email: chuegen@cisco.com c i s c o S y s t e m s
