|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP SYN attacks
> I agree. > > It seems to me that placing this processing in the firewall is > *potentially* dangerous, as now a SYN-flooding attack (*IF* > *successful*) will deny service to everything behind the firewall, > instead of just the targeted host. > > If I know I can fire-hose your firewall, and take your *site* off the > net, then it might become more attractive to me to "find" sufficient > CPU and bandwidth resources to generate enough packets to take you > out. This could "raise the stakes" enough to make it worth it to an > attacker. If someone can hose a firewall with an adaptive SYN timeout and a 100,000 or more-entry state storage structure for pending SYNs (not that any particular implementation does this that I know of or don't know of) then I *WANT* them to attack me. Something that un-subtle should be eeasy to track back to the source. > Tom E. Perrine ([email protected]) | San Diego Supercomputer Center > http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000 > "Ille Albus Canne Vinco Homines" - You Know Who Avi - - - - - - - - - - - - - - - - -
|