Re: SYN flood protection strategies (Was: Post connectionSYN)

[Mikael Olsson <mikael.olsson () clavister com>]

Paul Robertson wrote:
> Um, the point wasn't that the N to <N move was necessarily bad, just that
> you're either stuck with rate limiting of some sort, or a ring buffer of
> some sort, or you've recreated the problem all over again, just in a
> different place.

Yeah, if the firewall just hits the wall when the state table fills
up, I agree completely. But that'd be a dumb thing to do, now 
wouldn't it? ;)


> I happen to think that rate limits are interesting when applied to this
> sort of thing, because if you can add additional information (such as
> originating AS from an radb sort of thing) then you can provide some
> semblance of QoSishness...

The problem here is applying this logic to 100k+ (heck, make it 1M+)
states, while dealing with 100kpps (32Mbit/s) inbound. Too much logic, 
and you have a CPU crunching DoS which affects _all_ traffic and not 
just new connections.  

There's a number of approaches here that aren't too CPU intensive
but still result in QoSish behavior, but I'm not in a mood to give 
away good ideas today >:]


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards