From: Robert Hanson <roberth @
> logically speaking... isnt there some integral part of a syn flood or syn
> this or that that is "detectable" and therefor "blockable" or that it will
> allow some "logic" to be coded to prevent full scale "bombing"?
If the SYN flood is done "right", it is impossible to block AT THE
DESTINATION without blocking valid traffic because there is no way of
knowing what is a valid SYN segment from a flood SYN segment. Only a
foolish person would send the SYN segments from their real IP address,
which could blocked and be traced back to the source.
It is possible to block this type of attack at the source, or at least
force the flooder to use their real IP address - the routers at leaf
networks would have to drop ip packets carrying source addresses not
known to be on the incomming interface - much like stopping inbound ip
> in this syn function, what is so "necessary" about it that a machine must
> "answer" to it good or bad?
SYN segments are an integral part of the TCP 3-way handshake protocol
used to set up a TCP connection and therefore cannot be eliminated.
When a host receives a SYN segment it allocates some resources for the
incomming connection. Most systems will allow 5 to 8 queued incomming
connections before dropping all further packets sent to that port. Each
of these queued connections will remain in place for approximately 75
seconds before timing out. Therefore by simply sending SYN segments
from random ip addresses at 10 intervals to a hosts www port the web
server would be blocked.