From: none@none.invalid   
      
   On Thu, 5 Nov 2009 19:13:14 +0000 (UTC), Rick Jones   
    wrote:   
      
   >Char Jackson  wrote:   
   >> On Wed, 4 Nov 2009 19:25:36 +0100, Martijn Lievaart   
   >>  wrote:   
   >   
   >> >Any firewall that tries to handle SYN floods by spoofing the connection   
   >> >until the three way handshake is complete. Firewall-1 does this for   
   >> >instance and I suspect others as well.   
   >   
   >> F5 BigIP load balancers do the same thing. Enabling syn flood   
   >> protection means new connections are spoofed, (they call it   
   >> proxying), until the three way handshake is complete. After a   
   >> configurable amount of time or when the buffer reaches a certain   
   >> point of utilization, whichever comes first, old syn's without ack's   
   >> are purged.   
   >   
   >> I'm in favor of filtering this stuff out sooner rather than later,   
   >> so I'm in favor of doing it in a centralized network device such as   
   >> a firewall or load balancer rather than allowing the bogus traffic   
   >> to reach the individual hosts.   
   >   
   >I see a huge gulf separating dropping a SYN early and an intermediate   
   >device pretending to be the end destination.   
      
   I'm not sure I see any easy way to separate the two, or even whether   
   it's beneficial to separate the two. Do you propose setting a limit,   
   whether arbitrary or adaptive, on the number of SYN packets you'd   
   allow through, and any beyond that limit would be dropped? If so, that   
   might help with this specific DOS attack, but a distributed attack   
   would be allowed through. I'm not trying to be argumentative, I'm just   
   trying to see more sides of this and expand my knowledge.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)