Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: SYN floods
From: "Simon J. Gerraty" <sjg @ zen . quick . com . au>
Date: Thu, 12 Sep 1996 22:20:47 +1000 (EST)
To: firewalls @ greatcircle . com
Cc: Todd . Truitt @ evolving . com
Newsgroups: lists.firewalls
References: <199609120111 . TAA06372 @ thepound . evolving . com> 
Todd.Truitt writes:

>I believe it was stated that this SYN flood came from IP packets with
>the "Source Route" option set.  

Perhaps so, but SR is not necessary unless the attacker wanted to
receive responses, which is not needed for this sort of attack.

> ... There should be a packet filter routine
>which will drop ALL packets with *any* options triggered.  Since,
>typically speaking, the only reason that the IP options are used are
>to debug or cause trouble, this might be the safest approach for a
>firewall.

All quite true.  The most useful thing you can do with your Internet
router is drop all packets with IP options and with source addresses
from the wrong side.

Sadly though, that is not enough to save you from a SYN attack.

--sjg
Follow-Ups:
References:
Indexed By Date Previous: Re: smap alternative?
From: Dave Roberts <djr @ saa-cons . co . uk>
Next: Firewall DNS
From: "Jerry Edmiston" <jle9 @ eci-esyst . com>
Indexed By Thread Previous: Re: SYN floods
From: Todd Truitt <Todd . Truitt @ evolving . com>
Next: Re: SYN floods
From: Todd Truitt <Todd . Truitt @ evolving . com>
Google
 
Search Internet Search www.greatcircle.com