Date: Tue, 16 May 2006 00:01:05 -0500 From: "Travis H." <solinym@gmail.com> To: "Max Laier" <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate Message-ID: <d4f1333a0605152201w71e197a2ye15b10ab4c9acad3@mail.gmail.com> In-Reply-To: <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> <fee88ee40605151617x75001284x54b9f33f89b7c339@mail.gmail.com> <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> You have to be aware that this otoh might open you to DoS attacks. Peopl= e > spoofing connections from your address will lock you out from your own > server. It requires spoofing a full TCP connect, which is more difficult than most DoS types are willing to do. Even harder if you're doing "reassemble tcp" to protect the weak hosts's SYN packets. I've never heard a report of this kind of DoS in practice. --=20 "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0605152201w71e197a2ye15b10ab4c9acad3>