Re: TCP SYN attack possible SOLUTION: FW-1

[drwho () l0pht com (Doctor Who)]

I've taken a look at what their offering. What it does is "mitigate" the
connection between hosts, flushing an attacker if it doesn't get the ACK
within a required period of time. If it does get the ack, it then passes
the syn and ack to the destination host. While this is going to help
prevent medium-sized hosts squashing little ones, it will not keep very
fast hosts/connections from squashing the firewall box with the same
methods currently in use. Indeed, it could make things worse, by moving
the pinch point from the end-user to an ISP, so instead of one person
being taken out my a moron with a syn-bomb and a fast host, he takes out
an entire ISP's firewall.

I can see problems now, where people connecting from a really slow host in
uganda or tiac, get timed out, while a T3 next door can flood and crash
the firewall. Of course, I am sure that SYNdefender has some pretty nifty
algoritms to help against such attacks (which is nice, because we don't
have to make every ISP user upgrade their operating system), but it is not
a solution in and of itself. SYN-bombs will be here for a while. The real
cure is for IP addresses not to be fakable, by having routers check the
address of each packet to see that it is valid from that interface. Of
course, I don't see this happening universaly ever, so other methods are
neccessary.

In summary, nice tool, firewall-1, but not a solution. And too bad it's
patented.

--Dr. Who
RadioPhone -  Cellular Phone / Pager archives: programming, monitoring,
and more! http://www.l0pht.com/radiophone