Subject: Re: SYN cookie ?
To: David Brownlee <abs@netbsd.org>
From: suxm <suxm@gnuchina.org>
List: tech-kern
Date: 04/16/2001 10:27:33
Hi, Brownlee

On 2001-4-15 17:42:00 you wrote=A3=BA
>=09As Jason mentioned, NetBSD already has a syn cache which is
>=09specifically designed to handle SYN-flood DoS attacks.

If the services run on NetBSD box, the SYN cache is enough.
But if the NetBSD box is used as firewall to protect the LAN,
and if the SYN flood attacks on the services run in the LAN, as=
 shown in the following figure,
the SYN cache is useless.

SYN flood on PORT 80 -----> NetBSD firewall -----> Web Server on=
 PORT 80 in the LAN.

Because the NetBSD box just forwards the SYN packages, 
the Web Server in the LAN will still be attacked heavily.
Don't you think so ?

>=09Don't SYN cookies make it impossible to tell if the initial
>=09connection setup packet has been received?

No, I don't think so.
SYN cookie is implemented in LINUX perfectly.
I think NetBSD should have such function to resist SYN flood.

sincerely yours
suxm
            suxm@gnuchina.org



        =A1=EE _______   =A1=A4     =A1=EE     
     =C9=A1   =A5=CE____=A5=CE=A1=F5     =A1=F1    =C9=A1  
    =C9=A1=C9=A1  =A3=FC    =A3=FC=A3=FC          =C9=A1=C9=A1 
   =C9=A1=C9=A1=C9=A1 =A1=A5=A1=A5=A1=A5=A1=A5=A1=A5-_   =A1=E2  =C9=A1=C9=A1=C9=A1
     =A1=AC               =A1=A5-=A4=D8    =A1=AC