At 04:13 PM 5/25/00 +0200, Mikael Olsson wrote:
>This thread ought to be terminated, but I just can't resist a good
>argument when I see one :-)
Yeah, you're probably right :-) I'll let you have the last word.
> > Good theory, not seen to work in practice. For example, the Ping-Of-Death
> > bug. The first fixes for SYN flood attacks came from the proxy firewall
> > vendors, not packet filters.
>
>*ahem*. Back then, stateful packet filters were a fairly new idea
>(I may even have my history wrong here, did they exist at all?)
>so I wouldn't consider this a representative example. Competition
>and maturity of technology have certainly improved response time
>among responsible companies.
The SYN flood attack agents showed up in late 1996. (Yes, the problem
existed long before that; it just wasn't on the radar screen until an
attack agent was written.) Firewall-1 was shipping 3.0 or so IIRC at that
point. That's what the SYNDefender for Firewall-1 was all about - a
response to that form of DoS.
>Again, not a good example. DDoS is a problem no matter what firewall you
>have.
>Unless there's a firewall that willingly shuts down when more than 10
>packets
>per second are dropped, or something like that. (And I have yet to see
>such a firewall).
Agreed. Simple DoS is easy to fix (null-route the attacker); nobody's got
an effective fix for DDOS.
-Rick
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
