TCP SYN attacks

I agree.

It seems to me that placing this processing in the firewall is
*potentially* dangerous, as now a SYN-flooding attack (*IF*
*successful*) will deny service to everything behind the firewall,
instead of just the targeted host.

If I know I can fire-hose your firewall, and take your *site* off the
net, then it might become more attractive to me to "find" sufficient
CPU and bandwidth resources to generate enough packets to take you
out. This could "raise the stakes" enough to make it worth it to an

If someone can hose a firewall with an adaptive SYN timeout and
a 100,000 or more-entry state storage structure for pending SYNs
(not that any particular implementation does this that I know of
or don't know of) then I *WANT* them to attack me.

Something that un-subtle should be eeasy to track back to the source.

Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center | Voice: +1.619.534.5000
"Ille Albus Canne Vinco Homines" - You Know Who