On Tue, 21 Oct 1997, Peter da Silva wrote:
> > Define 'cleanly'. You could do the connect stuff in nonblocking mode then
> > switch to blocking mode after one of the sockets is in the connected
> > state.
>
> But how do you have multiple "accept"s pending?
loop through sockets, if no connection is there to be accepted, you should
get EWOULDBLOCK. Otherwise, ...
>
> > decent stateless filters can block fragment attacks; stealth scans really
> > cant be detected at the application level, so you are a loser there as
> > well.
>
> They can't be *detected*, but they can't get through a proxy either, since
> the proxy won't accept the SYN/ACK.
>
> The big thing is that when the next silly bugger figures out an IP level
> attack, odds are the proxies will block it because they throw all that
> information away.
>
True. Depends on the nature of the attack. If it is simply an
informational attack (for instance, stealth scanning) than a proxy can't
do a whole lot. If it is something where privledges may be optained, than
a proxy certainly can do a lot.
Another big advantage of proxys is the lack of privledge needed. Each
proxy can run under a seperate uid, unlike packet filtering code that by
its very nature needs to run with supruser privledges (and in kernel
memory).
References:
|
|
