Re: Anything wrong with blocking "new" SYN/ACK packets?



On 2007-10-19, Ansgar -59cobalt- Wiechers <usenet-2007@xxxxxxxxxxxxxxxx> wrote:
BlackHole <BlackHole@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I was reading about these "distributed reflective denial of service"
attacks (spray a ton of IPs with spoofed syn packets and they all hit
the target with syn/ack's) and I was wondering:

1. Would it not be possible to just block syn/ack packets that have
the state: NEW

Yes (depending on your packet filter, that is).

or would a legitimate syn/ack have that state anyway?

No.

2. If its possible to just block those is there any reason why I would
NOT want to do that?

No.

cu
59cobalt

Cool, well theres one more defense added to my arsenal of iptables rules
;-)

Thanks

--
~/Blackhole Registered Linux User #420119 (http://counter.li.org)
AMD Athlon64/3200 2046mb pc3200 DDR400, (2) 300gb SATA, 256mb GeForce 6200
Gentoo 2007.0 (Gentoo is the best...)
"A computer is like an air conditioner, it stops working when you open Windows"
.



Relevant Pages

  • Re: Anything wrong with blocking "new" SYN/ACK packets?
    ... attacks (spray a ton of IPs with spoofed syn packets and they all hit ... the target with syn/ack's) and I was wondering: ... Would it not be possible to just block syn/ack packets that have ...
    (comp.security.firewalls)
  • Re: Anything wrong with blocking "new" SYN/ACK packets?
    ... attacks (spray a ton of IPs with spoofed syn packets and they all hit ... the target with syn/ack's) and I was wondering: ... Would it not be possible to just block syn/ack packets that have ...
    (comp.security.firewalls)
  • Re: Problem connecting to VxWorks Target Agent
    ... Netmask 0xffff0000 Subnetmask 0xffff0000 ... 11 packets received; 4 packets sent ... do the packets actually reach the target or you just see the ... If you can successfully ping the target, it could be a target server ...
    (comp.os.vxworks)
  • Not able to connect to Device using Platform Builder
    ... have got the EBOOT running till the point that it is broadcasting the BOOTME ... packets and in response expecting to receive the response packets through ... I am able to detect the device in platform builder 5, as I am able to see ... Basic issue I am seeing is that on target, there is no UDP packets received ...
    (microsoft.public.windowsce.embedded)
  • RE: Malformed DNS or something odd (or just me)
    ... There are several different similar types of probes, ... The second UDP port is identical for all probes to any target address. ... - The payloads of the packets generally have IP addresses embedded in them. ...
    (Incidents)