From owner-freebsd-hackers Fri Sep 13 01:03:53 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA01134 for hackers-outgoing; Fri, 13 Sep 1996 01:03:53 -0700 (PDT) Received: from al.imforei.apana.org.au (pjchilds@al.imforei.apana.org.au [202.12.89.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA01108 for ; Fri, 13 Sep 1996 01:03:41 -0700 (PDT) Received: (from pjchilds@localhost) by al.imforei.apana.org.au (8.7.5/8.7.3) id RAA02244; Fri, 13 Sep 1996 17:33:28 GMT Date: Fri, 13 Sep 1996 17:33:28 GMT From: Peter Childs Message-Id: <199609131733.RAA02244@al.imforei.apana.org.au> To: michael@memra.com, freebsd-hackers@freebsd.org Subject: Re: SYN floods - possible solution? (fwd) X-Newsreader: TIN [version 1.2 PL2] Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article you wrote: : Now here is something that could be used by sites to protect against SYN : flood attacke assuming that they can build a special custom box with : enough RAM to buffer the sockets for 30 seconds or more. How high a rate I don't think its going to work too well. Say your getting flooded with a stack of IP spoofed SYN connections... and your "super-spoof-protection-box" grabs 'em and sends off ICMP pings to the origin addresses.... and then those addresses all reply. Nothing stops the attackers using IP's that _are_ valid, and then the pings will succeed... One way of helping to insulate against denial of service attacks like these is to have your "inside" network with hosts for pop, telnet, etc, and then have a different machine servicing requests from the _big_bad_internet_ ... so if it gets trashed... well.. life goes on. Doing this with creative DNS and some well placed firewalls could be an idea. Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object!