Re: Re[4]: SYN floods (was: does history repeat itself?)

[Alexis Rosen <alexis () panix com>]

Alec H. Peterson writes:
> Pat Calhoun writes:
> >     Alexis,
> >     
> >        However if you are filtering on your outbound router to the net, 
> >     there is still the possbility that a malicious user could spoof 
> >     addresses as long as they belong to your address space. By moving the 
> >     filter out to the edge (when you have the equipment) this eliminates 
> >     that problem as well.

If it's not practical, it's not practical. If the dialin boxes haven't got
the CPU to filter each customer's connection, you just have to do the next
best thing. The strategy I described is the next best thing, and it's
pretty far "out to the edge".

However, if you're a small provider and you only filter on your boundary
to the net, that's still mostly OK as far as the SYN attack problem goes.
Yes, the customer can spoof in the provider's IP range, but that makes
the attacks easy to trace and very easy to filter.

> This is true, but if it is a valid host, the invalid SYNs will do
> nothing, because the source host will send a RST and the
> almost-connection will be torn down.  And if it isn't a valid host, it
> will still be _much_ easier to track, because you know in general
> where it's coming from.

Right. You're getting into a more general issue ("what can you do if you
can spoof") here, though. The answer is "lots of really nasty stuff". Just
another reason to do aggressive antiforgery filtering.

/a
- - - - - - - - - - - - - - - - -