Lee, Yes I am worried about tcp syn attacks, AND bogus "time wasting" ssl negotiations - basically anything malicious that can happen to a "naked" listening socket. I didn't think there would be a satisfactory software solution .. just asked because there are some clever people out there...!!
cheers Neil ----- Original Message ----- From: "Lee Dilkie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 19, 2003 8:46 PM Subject: RE: OpenSSL denial of service > Depends on the attack itself? > > are you worried about syn flood type attacks, on the tcp port itself? > > or are you worried about ssl attacks that go through with ssl negotiation > and simply strive to consume processing resources? > > the former has several solutions, including firewalls. > > the later is not as easy to protect yourself against. using honking big h/w > accelerators is one solution. I don't know of any s/w solutions. > > -lee > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Neil Humphreys > > Sent: Tuesday, August 19, 2003 2:24 PM > > To: [EMAIL PROTECTED] > > Subject: Re: OpenSSL denial of service > > > > > > Shawn, > > > > Thanks for the response. > > > > It's a lovely thought, but it's not as simple as sticking in > > a firewall I am > > afraid .. that leaves > > me open to attacks that can't be blocked by the firewall .. > > such as attacks from inside the firewall, or attacks from > > outside that use > > the correct port and appear to come from a valid IP address (unless I > > block tcp connections from the internet zone, which I cannot do). > > > > I was just wondering if anyone did anything to reduce the > > impact of high > > volume brute force attacks against the listening socket, that > > cannot be > > blocked in any trivial way (such as the firewall). > > > > I take it the answer's "no" then. > > > > > > ----- Original Message ----- > > From: "Shawn P. Stanley" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, August 18, 2003 9:38 PM > > Subject: Re: OpenSSL denial of service > > > > > > > I use a firewall, myself. > > > > > > On 8/18/03 3:08 PM, "Neil Humphreys" <[EMAIL PROTECTED]> wrote: > > > > > > > Hi > > > > Has anyone got any good examples / advice / tricks for > > reducing the > > impact of > > > > denial-of-service attacks on an SSL listening socket? > > > > > > > > cheers > > > > Neil > > > > > > > > > > > > > > > ______________________________________________________________________ > > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
