[5002] in North American Network Operators' Group
Re: TCP SYN attacks
daemon@ATHENA.MIT.EDU (Avi Freedman)
Thu Oct 3 21:00:15 1996
From: Avi Freedman <freedman@netaxs.com>
To: tep@sdsc.edu (Tom Perrine)
Date: Thu, 3 Oct 1996 20:50:51 -0400 (EDT)
Cc: dvv@sprint.net, richards@netrex.com, rja@cisco.com, nanog@merit.edu,
iepg@iepg.org
In-Reply-To: <9610032113.AA23170@galt.sdsc.edu> from "Tom Perrine" at Oct 3, 96 02:13:26 pm
> I agree.
>
> It seems to me that placing this processing in the firewall is
> *potentially* dangerous, as now a SYN-flooding attack (*IF*
> *successful*) will deny service to everything behind the firewall,
> instead of just the targeted host.
>
> If I know I can fire-hose your firewall, and take your *site* off the
> net, then it might become more attractive to me to "find" sufficient
> CPU and bandwidth resources to generate enough packets to take you
> out. This could "raise the stakes" enough to make it worth it to an
> attacker.
If someone can hose a firewall with an adaptive SYN timeout and
a 100,000 or more-entry state storage structure for pending SYNs
(not that any particular implementation does this that I know of
or don't know of) then I *WANT* them to attack me.
Something that un-subtle should be eeasy to track back to the source.
> Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center
> http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000
> "Ille Albus Canne Vinco Homines" - You Know Who
Avi
