|
I believe that this is still true, but I am talking
about serving as a firewall for a webserver sitting behind, so the connection
table of the firewall would never fill up (since it is only passing along the
SYN packets).
-David
----- Original Message -----
Sent: Tuesday, April 29, 2003 4:34
PM
Subject: Re: TCP SYN Proxy
Correct me if I'm wrong, but once the connection table
fills
up, doesn't obsd randomly drop half-open connections?
I
thought this was implemented a while back, as an alternative
to the
SYN cookies.
Adam Wenzel
If I understand the question correctly (and I may not),
you
want the firewall to be able to dynamically start blocking DDoS
attacks
without human intervention right?
This can be done using snort and
PF's tables/anchors.
I've never implemented it, but I've seen plenty
of doc's on it.
--Bryan
On Tue, 2003-04-29 at 12:20, David
Powers wrote:
>I am implementing a firewall (hopefully in OpenBSD) for
a group that
>has become gun shy of SYN flood attacks. One of
the questions asked
>was whether a "syn proxy" could be implemented on
the firewall to
>handle initial connection setup without taxing the
webserver behind
>it. Some Googling indicates that some of the
big proprietary
>firewalls implement syn proxies to some significant
effect
>(http://www.usenix.org/events/sec01/invitedtalks/oliver.pdf)
but
>nothing about whether it has been done on OpenBSD. Has
something like
>this been done, and if not, do people think it would
be better
>implemented in pf somehow or as a standalone
daemon?
>
>-David
Powers
|
