nanog mailing list archives

Re: TCP SYN attacks

From: Avi Freedman <freedman () netaxs com>
Date: Thu, 3 Oct 1996 20:50:51 -0400 (EDT)

I agree.

It seems to me that placing this processing in the firewall is
*potentially* dangerous, as now a SYN-flooding attack (*IF*
*successful*) will deny service to everything behind the firewall,
instead of just the targeted host.

If I know I can fire-hose your firewall, and take your *site* off the
net, then it might become more attractive to me to "find" sufficient
CPU and bandwidth resources to generate enough packets to take you
out.  This could "raise the stakes" enough to make it worth it to an
attacker.


If someone can hose a firewall with an adaptive SYN timeout and
a 100,000 or more-entry state storage structure for pending SYNs
(not that any particular implementation does this that I know of 
or don't know of) then I *WANT* them to attack me.

Something that un-subtle should be eeasy to track back to the source.

Tom E. Perrine (tep () SDSC EDU) | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | Voice: +1.619.534.5000
"Ille Albus Canne Vinco Homines" - You Know Who


Avi
- - - - - - - - - - - - - - - - -

Current thread:

Re: TCP SYN attacks Richard Stiennon (Oct 03)
- Re: TCP SYN attacks Dima Volodin (Oct 03)
  - Re: TCP SYN attacks Tom Perrine (Oct 03)
    - Re: TCP SYN attacks Avi Freedman (Oct 03)
    - Re: TCP SYN attacks Dima Volodin (Oct 04)
    - Re: TCP SYN attacks Avi Freedman (Oct 04)
    - Re: TCP SYN attacks Tim Bass (Oct 04)
    - Re: TCP SYN attacks Dima Volodin (Oct 04)
    - Re: TCP SYN attacks Alexis Rosen (Oct 03)
- Re: TCP SYN attacks (SYNDefender white paper) root (Oct 03)
- Re: TCP SYN attacks Perry E. Metzger (Oct 03)
- <Possible follow-ups>
- RE: TCP SYN attacks Ted Linnenkamp (Oct 04)
  - Re: TCP SYN attacks Avi Freedman (Oct 04)