On 03-Aug-99 Bill Stackpole wrote:
> There are two approaches to dealing with SYN floods. Support so many tcp
> connections that no one can send you enough open
> request to use them all. The other is to adaptively reduce the time-out for
> SYN requests based on the number of available connections that remain. In
> other words, I have 20 connections available and a 30 second timeout. When
> I have only 8 conections available the timeout is reduced to 10. Only 3,
> reduced to 5, etc.
What about half-open SYNs? Our IDS is picking these up as a normal course of
daily activity, and I wondered if that is something that should filtered out.
What exactly is a half-open SYN, what causes it, and can it safely be filtered
out when originating from internal machines?
Thanks,
Dave
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
