Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 10/17/03

  • Next message: Mikael Olsson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connectionSYN)" 
    To: Paul Robertson <proberts@patriot.net>
Date: Fri, 17 Oct 2003 17:40:54 +0200

    Paul Robertson wrote:
    >
    > Mikael Olsson wrote:
    > > OR you set up the firewall to answer SYNs on behalf of the server
    > > and wait for the handshake with the client to complete before doing
    > > the handshake with the server [...]
    >
    > You'd still want some sort of rate limit to stop floods and broken
    > clients, unless you think a ring buffer solves that probelm? Otherwise,
    > you've just moved flood protection from N servers to less than N
    > firewalls, no?

    I've moved the problem from servers with perhaps as low as 5 embryonic
    SYN sockets per port, that block for a full minute when the list is
    full, to a firewall that can handle hundreds of thousands of states,
    embryonic or not, and knows to nuke old embryonic SYNs when the
    state table is full.

    Yes, there are TCP stacks that handle SYN floods much better than
    what I described above (the linux crowd will undoubtedly cheer in with
    "all the world is a linux box!" here), but those that do handle it well
    enough on their own simply don't need the firewall to do SYN flood
    protection for them -- right? 

    -- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Mikael Olsson: "Re: [fw-wiz] SYN flood protection strategies (Was: Post connectionSYN)"

    Relevant Pages

    • Re: FreeBSD firewall block syn flood attack
      ... The servers are being attacked with syn floods and go down ... I don't think a firewall can achieve this, even if it has some matching ... You should tell your client to set CONFIG_SYNCOOKIES ...
      (FreeBSD-Security)
    • Re: FreeBSD firewall block syn flood attack
      ... The servers are being attacked with syn floods and go down ... Since the firewall is a ... you would have to enable syn cookies on the affected redhat box. ... I haven't done any testing of syn cookies' protection against syn floods ...
      (FreeBSD-Security)
    • syn flooding
      ... question is about the syn flooding attack and how ... But question is that the firewall itself will also be trying ... if there are number of such packets (SYN packets) then ... difference being that the servers protected by the ...
      (comp.security.firewalls)
    • RE: Slow user logon on Terminal server after migration to Windows 2003
      ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
      (microsoft.public.windows.server.active_directory)
    • Re: medical records, web server, & stateful firewall vs packet filter
      ... > image and SQL servers directly (the image server link in particular ... The image and SQL servers ... the 2 firewall layers should run different s/ware - the idea is that a major ... security always cost a lot more than you expect (this comes up whenever we ...
      (comp.dcom.sys.cisco)