nanog mailing list archives
Re: Syn flooding attacks
From: Joe Shaw <jshaw () insync net>
Date: Mon, 20 Oct 1997 15:09:24 -0500 (CDT)
On Mon, 20 Oct 1997, Vern Paxson wrote:
The router could discard the SYN, remembering it, and let pass the retry SYN that usually occurs with valid connections and does not with invalid ones.This is no good - all the crackers have to do is modify their programs to send two bogus SYNs, spaced apart, instead of just one.
Don't most SYN flood programs just send a constant stream of SYNs to the specified machine/port? The one I have for testing does that. So, sequential requests would get around this, no matter how many SYNs you were looking for. I think the best protection against SYN flooding is in the Kernel level of the OS. If you see a massive amount of SYN request coming in on one port from one machine or many, then you start applying cookies for those connections and decrease the hold time before you start dropping the connections due to un-answered SYN-ACKs. Don't most operating systems now support this feature (Win95 excluded)? Joe Shaw - jshaw () insync net NetAdmin - Insync Internet Services
Current thread:
- Syn flooding attacks Paulo Maffei (Oct 20)
- Re: Syn flooding attacks Phil Howard (Oct 20)
- Re: Syn flooding attacks Jeffrey C. Ollie (Oct 20)
- Re: Syn flooding attacks Peter Evans (Oct 20)
- Re: Syn flooding attacks Kenneth E. Gray (Oct 21)
- <Possible follow-ups>
- Re: Syn flooding attacks Vern Paxson (Oct 20)
- Re: Syn flooding attacks Joe Shaw (Oct 20)
- Re: Syn flooding attacks Perry E. Metzger (Oct 20)
- Re: Syn flooding attacks Joe Shaw (Oct 20)
- Re: Syn flooding attacks Jim Shankland (Oct 20)
- Re: Syn flooding attacks Perry E. Metzger (Oct 20)
- Re: Syn flooding attacks Phil Howard (Oct 20)