From owner-freebsd-security Thu May 13 19:42:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 4FC4E1536B for ; Thu, 13 May 1999 19:42:06 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 4608 invoked from network); 14 May 1999 02:42:05 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 14 May 1999 02:42:05 -0000 Date: Thu, 13 May 1999 19:41:12 -0700 (PDT) From: Thamer Al-Herbish To: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <4.2.0.37.19990513202450.0444fca0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 May 1999, Brett Glass wrote: > How often are the IP addresses spoofed during SYN floods? (I know > it's perfectly practical to do so, since the flooder doesn't > care about responses, but routers may preclude it.) Completely arbitrary. I could literally send out thousands as long as I know they are unreachable. I could use, say 10 different addresses and make a zillion packets. Bandwidth and my imagination are the only barriers. > It could be that discarding SYNS from addresses that send excessive > numbers of them would let the legitimate folk keep working. Yes, but it will be worthless against syn flooders. Keep in mind that you want an unreachable address: the returned SYN-ACK is irrelevant. -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message