> My understanding of the syncookies implementation (in 2.0, at least) is
> that it only protects the host which is using it; not the hosts _behind_ it
> (ie. acting as a firewall). Is this not the case?
It depends if you configure your firewall as a proxy host
> 1.) The firewall maintains a "Max SYN's per port per sec" value,
> configurable in some way.
Instant DoS attack using the firewall
> 4.) When a SYN arrives, it is compared to the value in the temp hash table:
> if there is not an entry, one is added (as above). If there is an entry,
> and it hasn't been validated, a validation request is sent. If there is an
> entry and it has already been validated, any more SYN's from this host will
> be accepted right away.**
So I attack your hash function
I'd actually be tempted to implement syn cookies on the firewall and do a
proxy session, even if I did it purely kernel space.
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jun 10 2000 - 17:16:42 EDT