On Fri, Mar 17, 2000 at 12:19:44PM +0200, Catalin BOIE wrote:
> On Tue, 14 Mar 2000, Lars Marowsky-Bree wrote:
>
> > On 2000-03-13T23:51:43,
> > "Dr. Michael Weller" <[EMAIL PROTECTED]> said:
> >
> > > Certain Firewalls (say a Cisco PIX, to name one) can protect a network
> > > before certain attacks (say SYN flooding) by first establishing the TCP
> > > protocol with the foreign host and only after successful TCP parameter
> > > negotiation initiating the actual TCP connection to the client. [Afaik,
> > > the PIX (for example) even allows randomization of Packet Sequence Numbers
> > > (in the outbound direction) of the watched TCP connections.]
> > >
> > > I'm under the impression that I cannot achieve protection against such
> > > denial of service attacks with a linux firewall.
> >
> > Right. Linux can't do that.
>
> But ingress filtering?
AIUI, ingress filtering means dropping (silently or otherwise) packets that
match / don't match particular rules; the linux code can certainly do that.
What's described above seems to involve the router fiddling the sequence
numbers in TCP packets. This seems to me to be a Bad Thing, as it involves
the router keeping state (wasn't the whole point of IP that routers were
stateless?). I imagine it also breaks IP level crypto spectacularly.
--
HOW YOU CAN TELL THAT IT'S GOING TO BE A ROTTEN DAY:
#15 Your pet rock snaps at you.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
