nanog mailing list archives

Re: SYN floods - possible solution? (fwd)

From: "Steven L. Johnson" <steve () barstool com>
Date: Fri, 13 Sep 1996 11:51:20 -0400 (EDT)

Yes, using ICMP to try and do TCP SYN validation is bad.  In addition to
case where a firewalled site blocks ICMP, consider the case where a
group of hosts will respond to pings but have (some/much) TCP traffic to
them filtered by a conventional firewall.  These hosts can be used as
candidate source addresses for TCP SYN attack as they will respond to
the ICMP echo request but will not send a TCP RST to tear down the bogus
TCP connection.

Much better IMO to consider waiting for a TCP ACK response to TCP SYN
ACK for the requested TCP connection than to wait for ICMP echo response
at the firewall.  As noted before this is a very simple transparent
proxy service that can be implemented at the packet level very similar
to that of a NAT box.

-Steve


On Thu, 12 Sep 1996, Michael Dillon wrote:

==>Now here is something that could be used by sites to protect against
==>SYN flood attacke assuming that they can build a special custom box
==>with enough RAM to buffer the sockets for 30 seconds or more. How high
==>
==>From: "Roderick Murchison, Jr." <murchiso () vivid newbridge com>
==>
==>Ok.  say you have a firewall between your network and you Internet
==>connection.  If that firewall could detect and *detain* a segment with the
==>SYN option set, then see if the set source IP answers an ICMP echo

This is bad.  You should never depend upon remote hosts to give you ICMP
responses to establish connections.  This is because of several reasons:

1.  What if a real remote site uses "established" connection firewalls
    and chooses to block ICMP?  In that case, you've limited yourself
    vastly as to what can connect to you (there are a lot of sites which
    use cisco's "established" keyword to firewall and keep
    functionality).

2.  When links become congested, ICMP packets are given a lower priority
    to make way for real data.

/cah

----
Craig A. Huegen  CCIE #2100                       ||        ||
Network Analyst, IS-Network/Telecom               ||        ||
cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
email: chuegen () cisco com                    c i s c o  S y s t e m s


- - - - - - - - - - - - - - - - -

Current thread:

Re: SYN floods - possible solution? (fwd) Michael Dillon (Sep 12)
- Re: SYN floods - possible solution? (fwd) Alexis Rosen (Sep 13)
  - Re: SYN floods - possible solution? (fwd) Michael Dillon (Sep 13)
    - Re: SYN floods - possible solution? (fwd) Mr. Jeremy Hall (Sep 13)
    - Re: SYN floods - possible solution? (fwd) alex (Sep 13)
    - Re: SYN floods - possible solution? (fwd) Dima Volodin (Sep 13)
- Re: SYN floods - possible solution? (fwd) Craig A. Huegen (Sep 13)
  - Re: SYN floods - possible solution? (fwd) Steven L. Johnson (Sep 13)