On Fri, 17 Mar 2000, Steve Dodd wrote:
> On Fri, Mar 17, 2000 at 12:19:44PM +0200, Catalin BOIE wrote:
> > On Tue, 14 Mar 2000, Lars Marowsky-Bree wrote:
> >
> > > On 2000-03-13T23:51:43,
> > > "Dr. Michael Weller" <[EMAIL PROTECTED]> said:
> > >
> > > > Certain Firewalls (say a Cisco PIX, to name one) can protect a network
> > > > before certain attacks (say SYN flooding) by first establishing the TCP
> > > > protocol with the foreign host and only after successful TCP parameter
> > > > negotiation initiating the actual TCP connection to the client. [Afaik,
> > > > the PIX (for example) even allows randomization of Packet Sequence Numbers
> > > > (in the outbound direction) of the watched TCP connections.]
> > > >
> > > > I'm under the impression that I cannot achieve protection against such
> > > > denial of service attacks with a linux firewall.
> > >
> > > Right. Linux can't do that.
> >
> > But ingress filtering?
>
> AIUI, ingress filtering means dropping (silently or otherwise) packets that
> match / don't match particular rules; the linux code can certainly do that.
> What's described above seems to involve the router fiddling the sequence
> numbers in TCP packets. This seems to me to be a Bad Thing, as it involves
> the router keeping state (wasn't the whole point of IP that routers were
> stateless?). I imagine it also breaks IP level crypto spectacularly.
Yes, the PIX/etc accept an inbound connection faking the
server IP on the outside, if the connection is valid, it then connects
to the server from the inside, faking the remote address. This is how
it operates.
Sure, it protects you from SYN attacks, but it is a stateful
device, and evil.
---
As folks might have suspected, not much survives except roaches,
and they don't carry large enough packets fast enough...
--About the Internet and nuclear war.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
