[... schema skipped for saving space ...]
| OK, this sounds plausible. But lets modify it a bit.
| 1. Upon the reciept of any new packet containing a request to set up
| a connection (SYN), grab the source address, hold the packet,
| log the address into a cache, "waiting for reply", and
| send a reply (SYN-2).
| 2. While waiting for an ACK from the source host to your SYN-2,
| drop *all* other segments from the source address which do not
| have an ACK contained in them. Do not accept any packets
| from the source until your SYN-2 is successfully answered.
NO. Assume a SYN-flood comes not from a martian but
from (otherwise legitimate) spoofed address. You gain nothing
with this strategy -- legitimate client will be shut up.
I may be wrong, but at this point one should wait for
one of the 3 events:
1. legitimate ACK
2. RST from a spoofed (and upset) client :)
3. timeout expiration
| 3. Upon reciept of an ACK to your SYN-2, load source address into
| cache, "good addresses",
Would routing table be enough?
| organized by timestamp of intial SYN request
| and preform the rest of the connection like any normal transaction.
| 4. If, after a configurable timeout period (75 sec., say) no ACK is
| recieved, put the source address into a 3rd cache, "bad addresses",
| log the address and dump all packets from that address.
I doubt by the above reasons.
| How does this sound? I wonder what kind of performance hit the server =
| R. Todd Truitt Todd .
| Evolving Systems, Inc.