On Tue, 19 Aug 2003, Neil Humphreys wrote: > Lee, > Yes I am worried about tcp syn attacks
Most TCP implementations handles SYN attacks nicely these days given the opportunity by correct kernel tuning.. you should only need to worry about connection attacks where a full SYN handshake have taken place and the sender is thus verified to exists (or at least to be in the path..) > AND bogus "time wasting" ssl negotiations - basically anything malicious > that can happen to a "naked" listening socket. This you can and should implement in your user-space application if desired. Not a easy task however. Requires you to keep some statistics on operations and errors, and start rejecting clients you consider abnormal in behaviour. To help in this you can probably rely on session reuse to identify "nice" clients, to avoid having already verified users blocked or denied if someone attacks you with a DoS purpose. I think you can hook into the OpenSSL negotiation before a new session is initiated but it is not something I have done.. Regards Henrik ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
