Bugtraq mailing list archives
Re: TCP SYN attack possible SOLUTION: FW-1
From: drwho () l0pht com (Doctor Who)
Date: Wed, 2 Oct 1996 21:59:56 -0400
I've taken a look at what their offering. What it does is "mitigate" the connection between hosts, flushing an attacker if it doesn't get the ACK within a required period of time. If it does get the ack, it then passes the syn and ack to the destination host. While this is going to help prevent medium-sized hosts squashing little ones, it will not keep very fast hosts/connections from squashing the firewall box with the same methods currently in use. Indeed, it could make things worse, by moving the pinch point from the end-user to an ISP, so instead of one person being taken out my a moron with a syn-bomb and a fast host, he takes out an entire ISP's firewall. I can see problems now, where people connecting from a really slow host in uganda or tiac, get timed out, while a T3 next door can flood and crash the firewall. Of course, I am sure that SYNdefender has some pretty nifty algoritms to help against such attacks (which is nice, because we don't have to make every ISP user upgrade their operating system), but it is not a solution in and of itself. SYN-bombs will be here for a while. The real cure is for IP addresses not to be fakable, by having routers check the address of each packet to see that it is valid from that interface. Of course, I don't see this happening universaly ever, so other methods are neccessary. In summary, nice tool, firewall-1, but not a solution. And too bad it's patented. --Dr. Who RadioPhone - Cellular Phone / Pager archives: programming, monitoring, and more! http://www.l0pht.com/radiophone
Current thread:
- TCP SYN attack possible SOLUTION: FW-1 Saqib A. Khan (Oct 02)
- Re: TCP SYN attack possible SOLUTION: FW-1 Doctor Who (Oct 02)
- BoS: ANNOUNCE: Livermore Solution for SYN FLOOD firstcat () lsli com (Oct 02)
- Re: BoS: ANNOUNCE: Livermore Solution for SYN FLOOD Perry E. Metzger (Oct 03)
- More HP vulnerabilities? Lionel Cons (Oct 03)