North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN floods - possible solution? (fwd)

  • From: Steven L. Johnson
  • Date: Fri Sep 13 11:58:40 1996 
Yes, using ICMP to try and do TCP SYN validation is bad.  In addition to
case where a firewalled site blocks ICMP, consider the case where a
group of hosts will respond to pings but have (some/much) TCP traffic to
them filtered by a conventional firewall.  These hosts can be used as
candidate source addresses for TCP SYN attack as they will respond to
the ICMP echo request but will not send a TCP RST to tear down the bogus
TCP connection.

Much better IMO to consider waiting for a TCP ACK response to TCP SYN
ACK for the requested TCP connection than to wait for ICMP echo response
at the firewall.  As noted before this is a very simple transparent
proxy service that can be implemented at the packet level very similar
to that of a NAT box.

-Steve

> 
> On Thu, 12 Sep 1996, Michael Dillon wrote:
> 
> ==>Now here is something that could be used by sites to protect against
> ==>SYN flood attacke assuming that they can build a special custom box
> ==>with enough RAM to buffer the sockets for 30 seconds or more. How high
> ==>
> ==>From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
> ==>
> ==>Ok.  say you have a firewall between your network and you Internet
> ==>connection.  If that firewall could detect and *detain* a segment with the
> ==>SYN option set, then see if the set source IP answers an ICMP echo
> 
> This is bad.  You should never depend upon remote hosts to give you ICMP
> responses to establish connections.  This is because of several reasons:
> 
> 1.  What if a real remote site uses "established" connection firewalls
>     and chooses to block ICMP?  In that case, you've limited yourself
>     vastly as to what can connect to you (there are a lot of sites which
>     use cisco's "established" keyword to firewall and keep
>     functionality).
> 
> 2.  When links become congested, ICMP packets are given a lower priority
>     to make way for real data.
> 
> /cah
> 
> ----
> Craig A. Huegen  CCIE #2100                       ||        ||
> Network Analyst, IS-Network/Telecom               ||        ||
> cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
> San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
> email: chuegen@cisco.com                    c i s c o  S y s t e m s
> 

- - - - - - - - - - - - - - - - -