Subject: Re: SYN cookie ?
To: suxm <suxm@gnuchina.org>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: tech-kern
Date: 04/17/2001 03:13:18
On Mon, Apr 16, 2001 at 10:27:33AM +0800, suxm wrote:
> If the services run on NetBSD box, the SYN cache is enough.
> But if the NetBSD box is used as firewall to protect the LAN,
> and if the SYN flood attacks on the services run in the LAN, as shown in the following figure,
> the SYN cache is useless.
>
> SYN flood on PORT 80 -----> NetBSD firewall -----> Web Server on PORT 80 in the LAN.
>
> Because the NetBSD box just forwards the SYN packages,
> the Web Server in the LAN will still be attacked heavily.
> Don't you think so ?
I know there are plenty of reasons that you may not want to run
NetBSD on that particular web server, but why is its OS not properly
protecting it from SYN floods?
Is this really the kind of thing we need to (further) bog a stateful
firewall down with?
(I mean, I guess, as an option, swell... but if I have nothing but
NetBSD machines inside my NetBSD firewall, I don't want that
firewall keeping extra state to protect those machines from
something they already protect themselves from...)
~ g r @ eclipsed.net