----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
I have had two people respond directly to me at [EMAIL PROTECTED] I
still invite (not "tell") you to move this discussion from this list.
What I claimed was that your statement - "it is still possible to get the
half acknowledged TCP session going with the server" - is simply not true.
And it isn't. First note that the "server" to which you refer is the Web
server. Modern firewalls prevent precisely this situation using some fairly
clever tricks. I pointed out a specific article in the current issue of PC
Magazine (August 2000). I shall not attempt to repeat it here.
A larger portion of your quote is:
"....As I have mentioned earlier iPlanet Webserver runs the Servlet engine
tied to the webserver which gives it some speed advantages but then lets say
some hacker one day decides to flood your machine with non-acknowledged
TCP/IP sessions, it is simply a matter of time before your webserver goes
bye-bye. What happens now is that your servlet engine also just went dead
stopping your business completely. Somebody said here that there network
admin did not worry about it too much because there webserver was behind a
firewall and all that. The fact of the matter is that it does not matter if
your webserver is behind the firewall, you are still opening some port or
some proxy way in so that your users request can get to the webserver. May
be you opened port 80 on the firewall and direct all traffic coming in to
port 80 to the internal (private) IP address of the webserver, it is still
possible to get the half acknowledged TCP session going with the server...."
Your primary point here seems to be that because the web server can be taken
out by a SYN flood attack, that iPlanet is inferior to JServ. Now iPlanet
may be inferior for numerous other reasons, but your argument is based on
the faulty assumption that the Web server can be taken out by the SYN flood.
PC Labs tested six products and five of them kept the Web server alive. They
use different approaches, but you can read the article for yourself.
Your current post then shifts the discussion to a new argument - "Now
cutting off legitimate users basically equals losing clients in my book." I
never claimed that the firewalls would prevent service degradation - merely
that they would prevent the attacks from taking the Web server down. Your
RSA article is somewhat dated it seems to me. And I don't think the authors
claimed that SYN flood protection was impossible - they merely stated that
there were problems with the proposed approaches. On the other hand, the PC
Labs article reports on how well available products actually performed.
Finally you make me a generous offer - "I would be happy to work on taking
your checkpoint firewall down, given the IP address, mailing address,
firewall type, internal IP for the webserver, a legal document absolving me
from any responsibility for the damage, a very good amount of money and a
reasonable time frame. Actually me and a few others would be involved too.
Care to throw some money at us." Well, sorry to say this, but I don't have a
"checkpoint firewall." Nor the money you seem to want me to pay you to
launch an attack at me. Thanks for the offer, but my Web servers could be
nuked by a SYN flood attack. I already know this. What's your point?
Regards,
.... Bob Kimble
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search Archives:
<http://www.mail-archive.com/java-apache-users%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
