new (?) attack?
Dustin Cross
dusty at sandust.com
Tue Feb 26 12:56:18 PST 2002
This is a cool attack. I think it would be easy to protect yourself against. In
my firewall (openbsd and IPF) I default block all inbound traffic. Then I
specifically allow traffic to the ports I need (80, 22, 25, etc) and only allow
packets with the SYN flag set and not the ACK flag. Then I keep state of the
allowed connections. Once I let that SYN packet through I let all traffic from
that connection through. But if someone sent me a SYN/ACK packet and I did not
already have an open connection with them, my firewall would drop the packet. Now
I don't run a high traffic site and I don't know how much traffic you can track the
state of on any given hardware. Does anyone else have any ideas about this?
Dusty
Brian Hessee (gasp at runbox.com) wrote:
>
>this is interesting........and fairly scary...
>
>http://grc.com/dos/drdos.htm
>
>
>---
>You are currently subscribed to luau as: dusty at sandust.com
>To unsubscribe send a blank email to $subst('Email.Unsub')
>
More information about the LUAU
mailing list