Now here is something that could be used by sites to protect against SYN
flood attacke assuming that they can build a special custom box with
enough RAM to buffer the sockets for 30 seconds or more. How high a rate
can SYN floods come in at? I've heard of 1,000 per sec which implies that
this box needs to hold open 30,000 to 75,000 potential sockets. Is there
any problem within IPv4 (seq #'s?) that would make this inherently
impossible?
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
==>Now here is something that could be used by sites to protect against
==>SYN flood attacke assuming that they can build a special custom box
==>with enough RAM to buffer the sockets for 30 seconds or more. How high
==>
==>From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
==>
==>Ok. say you have a firewall between your network and you Internet
==>connection. If that firewall could detect and *detain* a segment with the
==>SYN option set, then see if the set source IP answers an ICMP echo
This is bad. You should never depend upon remote hosts to give you ICMP
responses to establish connections. This is because of several reasons:
1. What if a real remote site uses "established" connection firewalls
and chooses to block ICMP? In that case, you've limited yourself
vastly as to what can connect to you (there are a lot of sites which
use cisco's "established" keyword to firewall and keep
functionality).
2. When links become congested, ICMP packets are given a lower priority
to make way for real data.
/cah