Re: Anything wrong with blocking "new" SYN/ACK packets?



BlackHole wrote:
On 2007-10-19, Ansgar -59cobalt- Wiechers <usenet-2007@xxxxxxxxxxxxxxxx> wrote:
BlackHole <BlackHole@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I was reading about these "distributed reflective denial of service"
attacks (spray a ton of IPs with spoofed syn packets and they all hit
the target with syn/ack's) and I was wondering:

1. Would it not be possible to just block syn/ack packets that have
the state: NEW
Yes (depending on your packet filter, that is).

or would a legitimate syn/ack have that state anyway?
No.

2. If its possible to just block those is there any reason why I would
NOT want to do that?
No.

cu
59cobalt

Cool, well theres one more defense added to my arsenal of iptables rules
;-)

Thanks

you could well try to only allow TCP packets which certain flags and
drop the rest instead of the opposite :D
.