Firewalls: Re: SYN floods - possible solution?

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: SYN floods - possible solution?
From:	Adam Shostack <adam @ homeport . org>
Date:	Fri, 13 Sep 1996 09:12:47 -0500 (EST)
To:	murchiso @ vivid . newbridge . com
Cc:	firewall-1 @ applicom . co . il, firewalls @ GreatCircle . COM
In-reply-to:	<Pine . SOL . 3 . 95 . 960913012131 . 10525A-100000 @ tartarus> from "Roderick Murchison, Jr." at Sep 13, 96 01:36:54 am

There may be real connections from machines which can not be
pinged.

If your firewall is a smart relay, it could send a rst after a short
time without seeing an inbound SYN/ACK.

Adam


Roderick Murchison, Jr. wrote:

| Ditto... I just woke up *again* with a kludgy but potential defense...
| sorry if this is totally out of whack, but I'm really beat!
| 
| Ok.  say you have a firewall between your network and you Internet
| connection.  If that firewall could detect and *detain* a segment with the
| SYN option set, then see if the set source IP answers an ICMP echo
| request, we could effectively determine whether or not the SYN could be
| dropped at the firewall and not sent through to spam our hosts.  If the
| source responds, release the SYN and let it pass through to the intended
| host.  If it does not, trash the SYN and log the failure.


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:

Re: SYN floods - possible solution?
From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>

Indexed By Date	Previous:	Re: SYN floods continue (fwd) From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Indexed By Date	Next:	Re: SYN floods - possible solution? From: Blast <blast @ worldbit . com>
Indexed By Thread	Previous:	Re: SYN floods - possible solution? From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Thread	Next:	An alternative to smap (was "Re: smap") From: Dan Boulet <danny @ obtuse . com>