Re: Anything wrong with blocking "new" SYN/ACK packets?

BlackHole wrote:
On 2007-10-19, Ansgar -59cobalt- Wiechers <usenet-2007@xxxxxxxxxxxxxxxx> wrote:
BlackHole <BlackHole@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I was reading about these "distributed reflective denial of service"
attacks (spray a ton of IPs with spoofed syn packets and they all hit
the target with syn/ack's) and I was wondering:

1. Would it not be possible to just block syn/ack packets that have
the state: NEW
Yes (depending on your packet filter, that is).

or would a legitimate syn/ack have that state anyway?

2. If its possible to just block those is there any reason why I would
NOT want to do that?


Cool, well theres one more defense added to my arsenal of iptables rules


you could well try to only allow TCP packets which certain flags and
drop the rest instead of the opposite :D