From owner-freebsd-security Sun Sep 22 17:11:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA14830 for security-outgoing; Sun, 22 Sep 1996 17:11:34 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA14774 for ; Sun, 22 Sep 1996 17:11:31 -0700 (PDT) Message-Id: <199609230011.RAA14774@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA198817444; Mon, 23 Sep 1996 10:10:44 +1000 From: Darren Reed Subject: Re: comments on the SYN attack To: imp@village.org (Warner Losh) Date: Mon, 23 Sep 1996 10:10:44 +1000 (EST) Cc: tweten@frihet.com, newton@communica.com.au, spfarrel@midway.uchicago.edu, security@FreeBSD.org In-Reply-To: <199609212143.PAA02996@rover.village.org> from "Warner Losh" at Sep 21, 96 03:43:35 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Warner Losh, sie said: [...] > I think that if you get the point of discarding stuff, then you are in > trouble anyway. It would be nice to not discard it too soon. Also, > if the rates are such that you know you can handle it, then I think > the determanistic would be better. If they are absolutely hammering > the snot out of you, then the random one would be better because the > service is so crappy anyway that a little flakiness is better than no > possibility of a connection. > > Bottom line: You don't want to drop these things if you can help > it... so, you're saying something like "if I already have an established connection to this source host, try not to drop the half-open state" ? I say "try" because someone might flood you with fake SYN packets which are from an IP# that won't receive the ACK because of firewalling, although you already have on established connection from that host. Darren