Tim Bass writes:
Can you explain why you just don't block the IP address of the sender from your gateway routers.
Because each and every forged SYN comes in with a different randomly generated sender address.
Is the sender using different IP source addresses in the IP packet?
Not just different from their own address -- different in each packet!
This does not seem like a rocket science firewall firewall project, based on what I have read.
Steve Bellovin and Bill Cheswick, who literally wrote the book on firewalls, don't agree with you. Ask them if you care to.
Please explain what make this attack 'rocket science' to stop.
Okay, the problem is that there is no a priori way to know that a packet with a forged source address is not a legitimate request being made to your HTTP server or mail server. Sure, you could just block all incoming TCP traffic of all sorts, but that sort of eliminates the entire point of being connected to the net, doesn't it.
Show me the topology, the router configurations of the gateways, and the format of the denial-of-service attack packets and I'll be surprised if I can't devise a scheme to stop it,
God, you're an arrogant @#$%, aren't you.
even if the attacker changes source addresses frequently (and I'm happy to do it).
Okay. Tell me how to block the packets. Please. I'm open minded. Some of the best minds I know of have thought about this problem long and hard, but maybe you are smarter. The best thing that we've come up with is piss poor and probably won't do much good with an educated attacker. There *are* ways to harden hosts against these attacks, but thats another story. Perry