| To: | Rusty Russell <rusty@xxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] Increased DoS protection. |
| From: | Andi Kleen <ak@xxxxxx> |
| Date: | Fri, 28 Apr 2000 09:52:54 +0200 |
| Cc: | jamal <hadi@xxxxxxxxxx>, netdev@xxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxx |
| In-reply-to: | <m12l0Cp-0005MFC@halfway.linuxcare.com.au>; from Rusty Russell on Fri, Apr 28, 2000 at 04:10:55AM +0200 |
| References: | <Pine.GSO.4.20.0004270918170.26852-100000@shell.cyberus.ca> <m12l0Cp-0005MFC@halfway.linuxcare.com.au> |
| Sender: | owner-netdev@xxxxxxxxxxx |
On Fri, Apr 28, 2000 at 04:10:55AM +0200, Rusty Russell wrote: > > This leaves it vulnerable to SYN floods (as is the old masquerading > code, so we didn't get *worse* here): long term I will implement > window tracking as per ipfilter, and then I can be more confident that > a real three-way handshake has occurred, and set a high-confidence bit > for that connection. It is still hard when you consider reboots. The 3way handshake is long gone. Simply checking for an ACK from inside is not enough, because TCP generally acks all out of window packets (so it would be easy to fool from an attacker who guesses ports) On other connections you'll only see legitimate ACKs from one end, so checking for more than just an ack doesn't work neither. How do you plan to handle that problem? Forget connections on reboot ? -Andi |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] Increased DoS protection., Rusty Russell |
|---|---|
| Next by Date: | Re: [PATCH] Increased DoS protection., Rusty Russell |
| Previous by Thread: | Re: [PATCH] Increased DoS protection., Rusty Russell |
| Next by Thread: | Re: [PATCH] Increased DoS protection., Rusty Russell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |