[5004] in North American Network Operators' Group
Re: TCP SYN attacks
daemon@ATHENA.MIT.EDU (Alexis Rosen)
Fri Oct 4 00:39:08 1996
From: Alexis Rosen <alexis@panix.com>
To: tep@sdsc.edu (Tom Perrine)
Date: Fri, 4 Oct 1996 00:26:26 -0400 (EDT)
Cc: dvv@sprint.net, richards@netrex.com, rja@cisco.com, nanog@merit.edu,
iepg@iepg.org
In-Reply-To: <9610032113.AA23170@galt.sdsc.edu> from "Tom Perrine" at Oct 3, 96 02:13:26 pm
Tom Perrine writes:
> Dima> Any data on how the firewall itself withstands SYN attacks? How much
> Dima> resources are needed to cope with a real attack? From what I've read in
> Dima> their white paper it's just a piece of SYN-processing code that was
> Dima> duplicated (functionally) in the gateway, so all concerns about resource
> Dima> usage and speed seem to be still valid.
>
> I agree.
>
> It seems to me that placing this processing in the firewall is
> *potentially* dangerous, as now a SYN-flooding attack (*IF*
> *successful*) will deny service to everything behind the firewall,
> instead of just the targeted host.
>
> If I know I can fire-hose your firewall, and take your *site* off the
> net, then it might become more attractive to me to "find" sufficient
> CPU and bandwidth resources to generate enough packets to take you
> out. This could "raise the stakes" enough to make it worth it to an
> attacker.
I have no opinion about this product specifically, though I don't really
favor the approach (at least if you have other options, which most people
do).
However, I doubt this objection is valid. I think it should be pretty easy
to write code that can handle an entire T1 full of SYNs pretty easily on a
low-end pentium box (as long as the Ethernet driver is up to it, which should
also not be a big problem). Even without the moderately clever ideas already
being implemented (like random drop and SYN hashing) the current bsd code
can comfortably handle 1000 elements in a linked list. Hashing alone will
probably buy you two or three orders of magnitude improvement.
So maybe you can kill someone's firewall with a T3 with this approach. So
what? You can *already* do that...
/a
