At 10:39 9/13/96 -0600, Todd Truitt wrote:
>1. Upon the reciept of any new packet containing a request to set up
> a connection (SYN), grab the source address, hold the packet,
> log the address into a cache, "waiting for reply", and
> send a reply (SYN-2).
>2. While waiting for an ACK from the source host to your SYN-2,
> drop *all* other segments from the source address which do not
> have an ACK contained in them. Do not accept any packets
> from the source until your SYN-2 is successfully answered.
>3. Upon reciept of an ACK to your SYN-2, load source address into
> cache, "good addresses", organized by timestamp of intial SYN request
> and preform the rest of the connection like any normal transaction.
>4. If, after a configurable timeout period (75 sec., say) no ACK is
> recieved, put the source address into a 3rd cache, "bad addresses",
> log the address and dump all packets from that address.
This can help in some ways, but still wouldn't help in the event of the
spoofer sending random source addresses, as we have seen in most of the
attacks made against one of our servers.
William S. Duncanson
(888) NEOSOFT or (713) 968-5800