Hi,
On Sat, Jan 11, 2003 at 04:40:53PM -0800, Josh Brooks wrote:
...
> After reading some more documents on DoS attacks (namely
> http://www.e-gerbil.net/ras/projects/dos/dos.txt ) I have found that there
> are two nice mechanisms to thwart a large number of ack and syn floods.
>
> First, it turns out (from the paper I mention above) that most of the SYN
> flood tools out there send the SYNs with no MSS.
>
> Second, it turns out that the default stream.c has ACK numbers of zero on
> every packet. So although I realize that since ipfw is stateless I cannot
> put in the _real_ fix (with ipfilter):
ipfw has been stateful since early 2000, so you can implement
exactly the same thing mentioned below in ipfw as well. Read the ipfw
manpage for details
cheers
luigi
> -- start rule set --
> block in quick proto tcp from any to any head 100
> pass in quick proto tcp from any to any flags S keep state group 100
> pass in all
> -- end rule set --
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
