TCP SYN attacks

Tom Perrine writes:

> Any data on how the firewall itself withstands SYN attacks? How much
> resources are needed to cope with a real attack? From what I've read in
> their white paper it's just a piece of SYN-processing code that was
> duplicated (functionally) in the gateway, so all concerns about resource
> usage and speed seem to be still valid.

I agree.

It seems to me that placing this processing in the firewall is
*potentially* dangerous, as now a SYN-flooding attack (*IF*
*successful*) will deny service to everything behind the firewall,
instead of just the targeted host.

If I know I can fire-hose your firewall, and take your *site* off the
net, then it might become more attractive to me to "find" sufficient
CPU and bandwidth resources to generate enough packets to take you
out. This could "raise the stakes" enough to make it worth it to an

I have no opinion about this product specifically, though I don't really
favor the approach (at least if you have other options, which most people

However, I doubt this objection is valid. I think it should be pretty easy
to write code that can handle an entire T1 full of SYNs pretty easily on a
low-end pentium box (as long as the Ethernet driver is up to it, which should
also not be a big problem). Even without the moderately clever ideas already
being implemented (like random drop and SYN hashing) the current bsd code
can comfortably handle 1000 elements in a linked list. Hashing alone will
probably buy you two or three orders of magnitude improvement.

So maybe you can kill someone's firewall with a T3 with this approach. So
what? You can *already* do that...