Subject: Re: SYN cookie ?
To: Dr. Rene Hexel <rh@vip.at>
From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
List: tech-kern
Date: 04/23/2001 17:56:48
--zhXaljGHf11kAtnf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Apr 23, 2001 at 05:52:19PM +0200, Dr. Rene Hexel wrote:
> Darren Reed wrote:
>=20
> > What gets me, about all of this, is that it just moves the resource
> > problem from one box to another and doesn't actually solve it. To
>=20
> Also, in an attack situation, such a firewall might come under
> considerably more stress (than a single host implementing
> syn-cache/cookie) trying to protect a (possibly very large) number of
> hosts at the same time.
Let me be the devils advocate for a moment:
Assuming you don't keep state to resent the syn-ack, believing=20
that its not necessary, why is this so? You send the synack and forget
about it. You only ever set up state at the moment the acktothesynack
arrives. The attacker, contrary to the normal user, won't answer the synack,
right?
-is
--zhXaljGHf11kAtnf
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: 2.6.i
iQEVAgUBOuRQvTCn4om+4LhpAQE75wgAr0Fy6jROjNsRNyFags19xRirhsaecK1J
ad5Tr7rjXt3TuwuGHpZ+nSGZqajzqRjtAkMivxkM+s8YnOFVFvOCsiG9E4WVRhGe
rK6Jf7kQmfIWnUi0rQ/Q77gBjr/X4CINBzSJzdkXNGTK591+4QZH68s95OOBiFsE
3cTc58LEdGtK+oBnNsRK84iwPWv3Q6ECxfvv9DKg1M6gZgkXMT9kfy3utSv6VclB
Ant6jU5ICW20Vrg8439srl+j1IITkJs1oopsBPPX447ieKjHUXkLp1EkdjefPEgQ
ufrRD5CmOmDS8z9w36lS870ZZxHpeHen7Un479IlvgzzE0VBB8hNEA==
=MyeH
-----END PGP SIGNATURE-----
--zhXaljGHf11kAtnf--