nanog mailing list archives
Re: TCP SYN attacks
From: Avi Freedman <freedman () netaxs com>
Date: Thu, 3 Oct 1996 20:50:51 -0400 (EDT)
I agree. It seems to me that placing this processing in the firewall is *potentially* dangerous, as now a SYN-flooding attack (*IF* *successful*) will deny service to everything behind the firewall, instead of just the targeted host. If I know I can fire-hose your firewall, and take your *site* off the net, then it might become more attractive to me to "find" sufficient CPU and bandwidth resources to generate enough packets to take you out. This could "raise the stakes" enough to make it worth it to an attacker.
If someone can hose a firewall with an adaptive SYN timeout and a 100,000 or more-entry state storage structure for pending SYNs (not that any particular implementation does this that I know of or don't know of) then I *WANT* them to attack me. Something that un-subtle should be eeasy to track back to the source.
Tom E. Perrine (tep () SDSC EDU) | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000 "Ille Albus Canne Vinco Homines" - You Know Who
Avi - - - - - - - - - - - - - - - - -
Current thread:
- Re: TCP SYN attacks Richard Stiennon (Oct 03)
- Re: TCP SYN attacks Dima Volodin (Oct 03)
- Re: TCP SYN attacks Tom Perrine (Oct 03)
- Re: TCP SYN attacks Avi Freedman (Oct 03)
- Re: TCP SYN attacks Dima Volodin (Oct 04)
- Re: TCP SYN attacks Avi Freedman (Oct 04)
- Re: TCP SYN attacks Tim Bass (Oct 04)
- Re: TCP SYN attacks Dima Volodin (Oct 04)
- Re: TCP SYN attacks Tom Perrine (Oct 03)
- Re: TCP SYN attacks Dima Volodin (Oct 03)
- Re: TCP SYN attacks Alexis Rosen (Oct 03)
- <Possible follow-ups>
- RE: TCP SYN attacks Ted Linnenkamp (Oct 04)
- Re: TCP SYN attacks Avi Freedman (Oct 04)