On Thu, 12 Sep 1996, Michael Dillon wrote: ==>Now here is something that could be used by sites to protect against ==>SYN flood attacke assuming that they can build a special custom box ==>with enough RAM to buffer the sockets for 30 seconds or more. How high ==> ==>From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com> ==> ==>Ok. say you have a firewall between your network and you Internet ==>connection. If that firewall could detect and *detain* a segment with the ==>SYN option set, then see if the set source IP answers an ICMP echo This is bad. You should never depend upon remote hosts to give you ICMP responses to establish connections. This is because of several reasons: 1. What if a real remote site uses "established" connection firewalls and chooses to block ICMP? In that case, you've limited yourself vastly as to what can connect to you (there are a lot of sites which use cisco's "established" keyword to firewall and keep functionality). 2. When links become congested, ICMP packets are given a lower priority to make way for real data. /cah ---- Craig A. Huegen CCIE #2100 || || Network Analyst, IS-Network/Telecom || || cisco Systems, Inc., 250 West Tasman Drive |||| |||| San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:.. email: chuegen@cisco.com c i s c o S y s t e m s