From owner-freebsd-hackers  Fri Sep 13 05:41:01 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id FAA17656
          for hackers-outgoing; Fri, 13 Sep 1996 05:41:01 -0700 (PDT)
Received: from pdx1.world.net (pdx1.world.net [192.243.32.18])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA17647
          for <freebsd-hackers@freebsd.org>; Fri, 13 Sep 1996 05:40:59 -0700 (PDT)
Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id FAA25458; Fri, 13 Sep 1996 05:39:58 -0700 (PDT)
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id WAA21836; Fri, 13 Sep 1996 22:39:14 +1000
From: Julian Assange <proff@suburbia.net>
Message-Id: <199609131239.WAA21836@suburbia.net>
Subject: Re: SYN floods - possible solution? (fwd)
To: pjchilds@imforei.apana.org.au (Peter Childs)
Date: Fri, 13 Sep 1996 22:39:14 +1000 (EST)
Cc: michael@memra.com, freebsd-hackers@freebsd.org
In-Reply-To: <199609131733.RAA02244@al.imforei.apana.org.au> from "Peter Childs" at Sep 13, 96 05:33:28 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> In article <Pine.BSI.3.93.960912233311.11005G-100000@sidhe.memra.com> you wrote:
> 
> : Now here is something that could be used by sites to protect against SYN
> : flood attacke assuming that they can build a special custom box with
> : enough RAM to buffer the sockets for 30 seconds or more. How high a rate
> 
>  I don't think its going to work too well.   Say your getting flooded
>  with a stack of IP spoofed SYN connections... and your 
>  "super-spoof-protection-box" grabs 'em and sends off ICMP pings to
>  the origin addresses....  and then those addresses all reply.
> 
>  Nothing stops the attackers using IP's that _are_ valid, and then
>  the pings will succeed...

If the IP's are valid then the SYN|ACK's will be RST'd immediately. 
Although, you could choose valid addresses behind a filtering firewall
that allows ICMP ECHO's through, but not SYN|ACK's ;)


-- 
"Of all tyrannies a tyranny sincerely  exercised for the good of its victims  
 may be the most  oppressive.  It may be better to live under  robber barons  
 than  under  omnipotent  moral busybodies,  The robber baron's  cruelty may  
 sometimes sleep,  his cupidity may at some point be satiated; but those who  
 torment us for own good  will torment us  without end,  for they do so with 
 the approval of their own conscience."    -   C.S. Lewis, _God in the Dock_ 
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO   | PO Box 2031 BARKER | Secret Analytic Guy Union        |
|proff@suburbia.net   | VIC 3122 AUSTRALIA | finger for PGP key hash ID =     |
|proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+