|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP SYN attacks
Tom Perrine writes: > Dima> Any data on how the firewall itself withstands SYN attacks? How much > Dima> resources are needed to cope with a real attack? From what I've read in > Dima> their white paper it's just a piece of SYN-processing code that was > Dima> duplicated (functionally) in the gateway, so all concerns about resource > Dima> usage and speed seem to be still valid. > > I agree. > > It seems to me that placing this processing in the firewall is > *potentially* dangerous, as now a SYN-flooding attack (*IF* > *successful*) will deny service to everything behind the firewall, > instead of just the targeted host. > > If I know I can fire-hose your firewall, and take your *site* off the > net, then it might become more attractive to me to "find" sufficient > CPU and bandwidth resources to generate enough packets to take you > out. This could "raise the stakes" enough to make it worth it to an > attacker. I have no opinion about this product specifically, though I don't really favor the approach (at least if you have other options, which most people do). However, I doubt this objection is valid. I think it should be pretty easy to write code that can handle an entire T1 full of SYNs pretty easily on a low-end pentium box (as long as the Ethernet driver is up to it, which should also not be a big problem). Even without the moderately clever ideas already being implemented (like random drop and SYN hashing) the current bsd code can comfortably handle 1000 elements in a linked list. Hashing alone will probably buy you two or three orders of magnitude improvement. So maybe you can kill someone's firewall with a T3 with this approach. So what? You can *already* do that... /a - - - - - - - - - - - - - - - - -
|