RE: syn DDoS attack solution

NetFilter

RE: syn DDoS attack solution

To:	"'Martijn Lievaart'" <m@rtij.nl>
Subject:	RE: syn DDoS attack solution
From:	"Ric Messier" <kilroy@WasHere.COM>
Date:	Fri, 1 Jun 2007 15:38:12 -0600
Cc:	netfilter@lists.netfilter.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<466090CA.2050806@rtij.nl>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization:	Chaotic@Best
References:	<465EF582.4070904@bgs.hu> <015e01c7a3bf$64fbe7e0$2ef3b7a0$@COM> <465FEA82.709@bgs.hu> <007101c7a45d$bc50e380$34f2aa80$@COM> <466090CA.2050806@rtij.nl>
Sender:	netfilter-bounces@lists.netfilter.org
Thread-index:	AceklJJNdsG/oHO7RW+2UUsqGfqoIgAAFCDQ

Martijn Lievaart writes:
> 
> Ric Messier wrote:
> > Then your original description was incorrect or at least inadequate.
> It has
> > nothing to do with SYN as originally suggested since an ESTABLISHED
> > connection has blown past SYN, through SYN/ACK and by ACK. It has
> completed
> > the TCP handshake, as you note above. A SYN attack/flood would stop
> after
> > sending the initial SYN and leave the connection half-open to exhaust
> the
> > half-open buffers.
> >
> 
> An connection is in the ESTABLISHED state once a packet has been seen.
> So once the SYN is seen, the state is ESTABLISHED.
> 

Not last time I checked. That may be true to some degree in iptables but in
netstat, an ESTABLISHED connection is one that has made it through the
handshake process. Otherwise, it's in SYN_RECV state. 

Ric

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: syn DDoS attack solution, (continued) RE: syn DDoS attack solution, Martin McKeay Re: syn DDoS attack solution, Bgs Re: syn DDoS attack solution, Steven M Campbell ..prevention, was: syn DDoS attack solution, Arnt Karlsen Re: ..prevention, was: syn DDoS attack solution, Steven M Campbell Re: ..prevention, was: syn DDoS attack solution, Arnt Karlsen RE: syn DDoS attack solution, R. DuFresne RE: syn DDoS attack solution, Ric Messier Re: syn DDoS attack solution, Martijn Lievaart Re: syn DDoS attack solution, Martijn Lievaart RE: syn DDoS attack solution, Ric Messier <= Re: syn DDoS attack solution, Ethy H. Brito Re: syn DDoS attack solution, Bgs

Previous by Date:	Re: syn DDoS attack solution, Martijn Lievaart
Next by Date:	Re: syn DDoS attack solution, Ethy H. Brito
Previous by Thread:	Re: syn DDoS attack solution, Martijn Lievaart
Next by Thread:	Re: syn DDoS attack solution, Ethy H. Brito
Indexes:	[Date] [Thread] [Top] [All Lists]