Hi, just brainstorming here...
I was reading about these "distributed reflective denial of service" attacks (spray a ton of IPs with spoofed syn packets and they all hit the target with syn/ack's) and I was wondering:
- Would it not be possible to just block syn/ack packets that have the state: NEW or would a legitimate syn/ack have that state anyway? (By legitimate I mean the box that receives the syn/ack actually sent the first syn)
- If its possible to just block those is there any reason why I would NOT want to do that?
I'm just trying to learn and in the process make my little iptables firewall as secure as possible -- even though I doubt anyone will ever try this attack on me ;-)
Thoughts?