On Mon, May 13, 2002 at 06:37:29AM -0700, sim ton wrote: > correct magic cookie. In order to find the correct cookie, an > attacker has to explore about 16 million values (2^24), which can be > done in a few hours on a fast link.
This is no longer a problem for Linux, cause it includes a timestamp and will chnage the secret code for the cookies regularly, effectively reducing the time window one can try valid cookies to a timeframe which is not exploitable over internet links. > my question is still the same: > is tcp_syncookies reliable ? If you do not use services on your DMZ Servers whch you do not want to be available on internet, then syn cookies are safe. Cause your firewall does not restrict the access. If you have to run services on DMZ servers which should be blocked by a firewall, then make sure you not only filter on incoming SYN, but also on ACK packages, if you want to be absolutely sure the brute force cant be exploited. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
