[4983] in North American Network Operators' Group
Re: TCP SYN attacks
daemon@ATHENA.MIT.EDU (Tom Perrine)
Thu Oct 3 17:22:40 1996
Date: Thu, 3 Oct 96 14:13:26 PDT
From: Tom Perrine <tep@sdsc.edu>
To: dvv@sprint.net
Cc: richards@netrex.com, rja@cisco.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199610032032.QAA28971@mercury.int.sprintlink.net> (dvv@sprint.net)
>>>>> The moving finger of Dima Volodin, having written:
Dima> Any data on how the firewall itself withstands SYN attacks? How much
Dima> resources are needed to cope with a real attack? From what I've read in
Dima> their white paper it's just a piece of SYN-processing code that was
Dima> duplicated (functionally) in the gateway, so all concerns about resource
Dima> usage and speed seem to be still valid.
Dima> Dima
I agree.
It seems to me that placing this processing in the firewall is
*potentially* dangerous, as now a SYN-flooding attack (*IF*
*successful*) will deny service to everything behind the firewall,
instead of just the targeted host.
If I know I can fire-hose your firewall, and take your *site* off the
net, then it might become more attractive to me to "find" sufficient
CPU and bandwidth resources to generate enough packets to take you
out. This could "raise the stakes" enough to make it worth it to an
attacker.
--
Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000
"Ille Albus Canne Vinco Homines" - You Know Who
