new (?) attack?

Dustin Cross dusty at sandust.com
Tue Feb 26 12:56:18 PST 2002


This is a cool attack.  I think it would be easy to protect yourself against.  In 
my firewall (openbsd and IPF) I default block all inbound traffic.  Then I 
specifically allow traffic to the ports I need (80, 22, 25, etc) and only allow 
packets with the SYN flag set and not the ACK flag.  Then I keep state of the 
allowed connections.  Once I let that SYN packet through I let all traffic from 
that connection through.  But if someone sent me a SYN/ACK packet and I did not 
already have an open connection with them, my firewall would drop the packet.  Now 
I don't run a high traffic site and I don't know how much traffic you can track the 
state of on any given hardware.  Does anyone else have any ideas about this?

Dusty


Brian Hessee (gasp at runbox.com) wrote: 
>
>this is interesting........and fairly scary...
>
>http://grc.com/dos/drdos.htm
>
>
>---
>You are currently subscribed to luau as: dusty at sandust.com
>To unsubscribe send a blank email to $subst('Email.Unsub')
>



More information about the LUAU mailing list