nanog mailing list archives
Re: New Denial of Service Attack on Panix
From: dvv () sprint net (Dima Volodin)
Date: Thu, 3 Oct 1996 14:33:47 -0400 (EDT)
But of course. The problem is that SYN_RCVD is a transient state in the TCP automaton, and it requires some resources allocation. The life might have been a little bit different if servers weren't forced to track this state. Something like a signed ticket accompanying the second SYN and the following ACK. Dima Paul Ferguson writes:
I agree completely, but neither one is a panacea. - paul At 08:40 AM 10/3/96 -0400, Dima Volodin wrote:And if everyone doesn't make any attacks we won't have any problems either. To rephrase - relying on ingress filtering is putting your security in someone other's hands, doing host-based stuff is protecting yourself with your own hands. To rephrase once again - doing ingress filtering is "being conservative with what you produce", being able to cope with SYN floods on the host level is "being liberal on what you accept." We need both, and overemphasising one side of the solution will do a lot of harm. Dima
- - - - - - - - - - - - - - - - -
Current thread:
- SUN: Re: New Denial of Service Attack on Panix, (continued)
- SUN: Re: New Denial of Service Attack on Panix Allan Chong (Oct 03)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Oct 03)
- Re: TCP SYN attacks Ran Atkinson (Oct 03)
- Re: TCP SYN attacks Zach (Oct 03)
- Re: TCP SYN attacks Avi Freedman (Oct 03)
- Re: New Denial of Service Attack on Panix Dima Volodin (Oct 02)
- Re: New Denial of Service Attack on Panix Dima Volodin (Oct 03)
- Re: New Denial of Service Attack on Panix Dima Volodin (Oct 03)
- Re: New Denial of Service Attack on Panix Avi Freedman (Oct 03)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 03)
- Re: New Denial of Service Attack on Panix Avi Freedman (Oct 03)
- Re: New Denial of Service Attack on Panix Daniel W. McRobb (Oct 03)