Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

SYNDefender on Firewal-1 Questions...

From: agetchel () kde state ky us
Date: Mon, 12 Feb 2001 16:57:00 -0500
Hey Ya'll,
        I'm thinking about turning on SYNDefender on our firewall to quell
some recent trouble we've had with SYN flood DoS attacks against our
network, and I have a few questions some of you guys may be able to shed
some light on.

1) What is a reasonable timeout period?  10 seconds (the default) seems
pretty good.  Generally you could consider anything that doesn't complete
the three-way TCP handshake in that time period to be unusable anyways, or a
SYN flood from a spoofed address.

2) Does SYNDefender continue to monitor connections after the three-way TCP
handshake has completed as opposed to moving them out of a special area of
memory (what would normally be the backlog queue on the target server)?  The
reason I ask this is that I'm trying to set the 'maximum sessions' value to
an appropriate number.  Should I set it too the number of TCP sessions that
we normally have open at any given time (just under 50,000) or should I set
it too the value of TCP sessions that are in the thee-way handshaking
process (in a target hosts backlog queue) at any given time?  Is there any
way to log when SYNDefender reaches the limit you set in the 'maximum
session' setting?

3) The documentation says that all SYNDefender warning messages are output
to the console.  Is there any way to log these to an error log?

4) How much extra load can I expect SYNDefender to put on the firewall?  I'm
not too worried about processing power (or should I be?), but more worried
about the amount of memory it may consume.

5) When SYNDefender is running in it's non-passive mode, and it actually
replies back to a SYN-ACK coming from an internal machine with an ACK, does
it spoof the IP address of the external machine which originally made the
request?  I don't see how it would work if it didn't, but I thought I'd ask.
Does the same go for the RST if the external host doesn't ACK back?

        Thanks in advance for any answers you all can provide.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: