home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.protocols.tcp-ip      TCP and IP network protocols.      14,669 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 13,146 of 14,669   
   Martijn Lievaart to Rick Jones   
   Re: sequence number rewrite   
   05 Nov 09 23:02:26   
   
   From: m@rtij.nl.invlalid   
      
   On Thu, 05 Nov 2009 17:41:31 +0000, Rick Jones wrote:   
      
   > Martijn Lievaart  wrote:   
   >> Any firewall that tries to handle SYN floods by spoofing the connection   
   >> until the three way handshake is complete. Firewall-1 does this for   
   >> instance and I suspect others as well.   
   >   
   > Isn't that somewhat borrowing from Peter to pay Paul?  I would think   
   > that space for "state" would be even more limited in a firewall than it   
   > would be in the host(s) behind it.   
      
   I haven't completely made up my mind about it. As you note, it's not a   
   matter of space I think, most current devices probably can handle lots of   
   half open connections. Especially those firewalls, they were designed for   
   it, but most device stacks probably can handle lots as well. When this   
   feature was designed however, many tcp/ip implementations would buckle   
   under a Syn attack so then it did make sense.   
      
   On the plus side, the firewall gives a single point of defense that   
   behaves predictably for all devices it defends. And it gives you a   
   defense for devices that do not behave well under a SYN attack.   
      
   On the minus side. First, I don't trust most firewall vendors to get even   
   the most basic stuff right[1][2][3]. Second, I think (but am not sure)   
   most devices you would want to protect may actually handle Syn attacks   
   even better.   
      
   On the whole, I would not enable it unless under attack to see if that   
   would give temporary relief.   
      
   M4   
      
   [1] I've encountered a "professional" firewall that a) assumed classfull   
   addressing, so any class-C address that ended in .255 was assumed to be   
   spoofed. And it only checked the destination address, so typically it   
   blocked the Syn-Ack from the server instead fo the Syn from the client.   
   It also would allow or deny /ALL/ ICMP, including fragmentation-needed.   
   What a piece of ****.   
      
   [2] (Older) Firewall-1 cannot handle related traffic correctly without   
   minor brain surgery. And when logging in, it will tell you if it was the   
   username or the password that was wrong.   
      
   [3] So many SOHO routers where the initial version allowed management   
   from the outside by default. The first update for the firmware would   
   typically address this.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca