[4351] in North American Network Operators' Group
Re: SYN floods - possible solution? (fwd)
daemon@ATHENA.MIT.EDU (Steven L. Johnson)
Fri Sep 13 11:59:08 1996
From: "Steven L. Johnson" <steve@barstool.com>
To: c-huegen@quad.quadrunner.com (Craig A. Huegen)
Date: Fri, 13 Sep 1996 11:51:20 -0400 (EDT)
Cc: michael@memra.com, nanog@merit.edu
In-Reply-To: <Pine.QUAD.3.94.960913073507.4865B-100000@quad.quadrunner.com> from "Craig A. Huegen" at Sep 13, 96 07:40:07 am
Yes, using ICMP to try and do TCP SYN validation is bad. In addition to
case where a firewalled site blocks ICMP, consider the case where a
group of hosts will respond to pings but have (some/much) TCP traffic to
them filtered by a conventional firewall. These hosts can be used as
candidate source addresses for TCP SYN attack as they will respond to
the ICMP echo request but will not send a TCP RST to tear down the bogus
TCP connection.
Much better IMO to consider waiting for a TCP ACK response to TCP SYN
ACK for the requested TCP connection than to wait for ICMP echo response
at the firewall. As noted before this is a very simple transparent
proxy service that can be implemented at the packet level very similar
to that of a NAT box.
-Steve
>
> On Thu, 12 Sep 1996, Michael Dillon wrote:
>
> ==>Now here is something that could be used by sites to protect against
> ==>SYN flood attacke assuming that they can build a special custom box
> ==>with enough RAM to buffer the sockets for 30 seconds or more. How high
> ==>
> ==>From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
> ==>
> ==>Ok. say you have a firewall between your network and you Internet
> ==>connection. If that firewall could detect and *detain* a segment with the
> ==>SYN option set, then see if the set source IP answers an ICMP echo
>
> This is bad. You should never depend upon remote hosts to give you ICMP
> responses to establish connections. This is because of several reasons:
>
> 1. What if a real remote site uses "established" connection firewalls
> and chooses to block ICMP? In that case, you've limited yourself
> vastly as to what can connect to you (there are a lot of sites which
> use cisco's "established" keyword to firewall and keep
> functionality).
>
> 2. When links become congested, ICMP packets are given a lower priority
> to make way for real data.
>
> /cah
>
> ----
> Craig A. Huegen CCIE #2100 || ||
> Network Analyst, IS-Network/Telecom || ||
> cisco Systems, Inc., 250 West Tasman Drive |||| ||||
> San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:..
> email: chuegen@cisco.com c i s c o S y s t e m s
>
