FreeBSD firewall block syn flood attack
Mike Silbersack
silby at silby.com
Tue May 20 06:46:53 PDT 2003
On Tue, 20 May 2003, jeremie le-hen wrote:
> Note that in fact, this might be achieved on your firewall (FreeBSD also
> supports syncookies), but this would imply TCP SYN to be received by the
> firewall itself, which in turn would forward the TCP connection to the
> appropriate server once the connection would be fully established.
> (I think a simple TCP tunnel with a NAT redirection to localhost should
> work.)
>
> Regards,
> --
> Jeremie aka TtZ/TataZ
> jeremie.le-hen at epita.fr
You could certainly pull that off with an application level proxy, but the
disadvantage would be that the server would no longer be able to determine
the source IP of the machines connecting to it.
It would be possible to add the syncache / syncookies to ipfw so that it
could be used to protect hosts behind it, but I don't think anyone has
tried an implementation of that yet.
Mike "Silby" Silbersack
More information about the freebsd-security
mailing list