Re: TCP SYN attacks

[Alexis Rosen <alexis () panix com>]

Tom Perrine writes:
> Dima> Any data on how the firewall itself withstands SYN attacks? How much
> Dima> resources are needed to cope with a real attack? From what I've read in
> Dima> their white paper it's just a piece of SYN-processing code that was
> Dima> duplicated (functionally) in the gateway, so all concerns about resource
> Dima> usage and speed seem to be still valid.
>
> I agree.
>
> It seems to me that placing this processing in the firewall is
> *potentially* dangerous, as now a SYN-flooding attack (*IF*
> *successful*) will deny service to everything behind the firewall,
> instead of just the targeted host.
>
> If I know I can fire-hose your firewall, and take your *site* off the
> net, then it might become more attractive to me to "find" sufficient
> CPU and bandwidth resources to generate enough packets to take you
> out.  This could "raise the stakes" enough to make it worth it to an
> attacker.

I have no opinion about this product specifically, though I don't really
favor the approach (at least if you have other options, which most people
do).

However, I doubt this objection is valid. I think it should be pretty easy
to write code that can handle an entire T1 full of SYNs pretty easily on a
low-end pentium box (as long as the Ethernet driver is up to it, which should
also not be a big problem). Even without the moderately clever ideas already
being implemented (like random drop and SYN hashing) the current bsd code
can comfortably handle 1000 elements in a linked list. Hashing alone will
probably buy you two or three orders of magnitude improvement.

So maybe you can kill someone's firewall with a T3 with this approach. So
what? You can *already* do that...

/a
- - - - - - - - - - - - - - - - -