Re: Post connection SYN

[Paul Robertson <proberts () patriot net>]

On Fri, 17 Oct 2003, Mikael Olsson wrote:

> (sidenote: I don't think Raghuveer was asking about syn flood
>  protection, but rather prevention of SYNs in the middle of
>  established TCP connections)

Sorry, the phrase "Syn attack," along with some of the recent questions 
I've been looking at elsewhere had me thinking of SYN flood protection...

Out of state SYNs aren't really an "attack" per-se, dropping them is an 
artifact of stateful filtering, not a specific protection.  However, as 
you point out, the receiving client isn't going to be able to deal with 
the packet anyway until it's timed out the original connection.

> OR you set up the firewall to answer SYNs on behalf of the server
> and wait for the handshake with the client to complete before doing 
> the handshake with the server, and assume that the firewall's state
> table can take much more of a beating than the server. Which is 
> usually true.  This way, you don't have to worry about rate limiting
> at all.

You'd still want some sort of rate limit to stop floods and broken 
clients, unless you think a ring buffer solves that probelm?  Otherwise, 
you've just moved flood protection from N servers to less than N 
firewalls, no?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards