Tom Perrine writes:
Dima> Any data on how the firewall itself withstands SYN attacks? How much Dima> resources are needed to cope with a real attack? From what I've read in Dima> their white paper it's just a piece of SYN-processing code that was Dima> duplicated (functionally) in the gateway, so all concerns about resource Dima> usage and speed seem to be still valid.
I agree.
It seems to me that placing this processing in the firewall is *potentially* dangerous, as now a SYN-flooding attack (*IF* *successful*) will deny service to everything behind the firewall, instead of just the targeted host.
If I know I can fire-hose your firewall, and take your *site* off the net, then it might become more attractive to me to "find" sufficient CPU and bandwidth resources to generate enough packets to take you out. This could "raise the stakes" enough to make it worth it to an attacker.
I have no opinion about this product specifically, though I don't really favor the approach (at least if you have other options, which most people do). However, I doubt this objection is valid. I think it should be pretty easy to write code that can handle an entire T1 full of SYNs pretty easily on a low-end pentium box (as long as the Ethernet driver is up to it, which should also not be a big problem). Even without the moderately clever ideas already being implemented (like random drop and SYN hashing) the current bsd code can comfortably handle 1000 elements in a linked list. Hashing alone will probably buy you two or three orders of magnitude improvement. So maybe you can kill someone's firewall with a T3 with this approach. So what? You can *already* do that... /a