> What do you mean by ``their IP''? A standard SYN flood comes from an
> unpredictable sequence of forged IP addresses. How do you distinguish
> the attacker's packets from legitimate packets?
you don't. it's a limitation of the patch/method due to a flaw in IPv4. youcan
go to various convolutions to limit the damage, though, outside of the patch.
Quote:> What if the attacker instead generates SYNs from the IP address of a
> legitimate machine? Do you cut off connections from that IP address?
yes. again, a limitation of IPv4 and the spoofing that can occur, and i noted,
as you may have noticed, that yes, it can be used as a DoS attack. what if, for
instance, i SYN flood you pretending to be your nameserver(s)... ok, you
firewall them out. fair enough, now you can't communicate with your nameservers.
name your machine you want to block communications with and it's done. (and
don't forget that attacks from within the network, where you don't protect as
well against spoofing internal, important IP's, are a worse security problem.
disgruntled employees are worse than high school kids.) it's a hack, not a magic
bullet, and it thwarts a lot of otherwise easily performed attacks, probes and
my original point still stands, though, that the author of the post that started
this thread is working on a problem that has solutions of various levels. unless
the author has some radical solution, i suggest he finds a new problem. and if
he does have a new solution, please share the solution (i'm with
rain.forrest.puppy on openness in faults and solutions).