From owner-freebsd-security@FreeBSD.ORG  Wed May 21 22:54:09 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7516637B401
	for <freebsd-security@freebsd.org>;
	Wed, 21 May 2003 22:54:09 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B229B43F75
	for <freebsd-security@freebsd.org>;
	Wed, 21 May 2003 22:54:08 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id XAA09677;
	Wed, 21 May 2003 23:53:56 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20030521234939.02fbdc20@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 21 May 2003 23:53:54 -0600
To: Mike Silbersack <silby@silby.com>,
	jeremie le-hen <le-hen_j@epita.fr>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20030520084338.W56510@odysseus.silby.com>
References: <20030520095759.GA26095@carpediem.epita.fr>
 <BAEF3AC0.9998%ryan@mac2.net>
 <20030520095759.GA26095@carpediem.epita.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD firewall block syn flood attack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 05:54:09 -0000

At 07:45 AM 5/20/2003, Mike Silbersack wrote:

>It would be possible to add the syncache / syncookies to ipfw so that it
>could be used to protect hosts behind it, but I don't think anyone has
>tried an implementation of that yet.

This would require the creation of a general transparent TCP proxy
which did the 3-way handshake and then connected to the internal
host only if the handshake succeeded. Trouble is, it would need
to translate sequence numbers throughout the entire session.
Could be done with divert sockets and a daemon like natd, I 
imagine.

--Brett