Anything wrong with blocking "new" SYN/ACK packets?

Hi, just brainstorming here...

I was reading about these "distributed reflective denial of service" attacks (spray a ton of IPs with spoofed syn packets and they all hit the target with syn/ack's) and I was wondering:

  1. Would it not be possible to just block syn/ack packets that have the state: NEW or would a legitimate syn/ack have that state anyway? (By legitimate I mean the box that receives the syn/ack actually sent the first syn)

  1. If its possible to just block those is there any reason why I would NOT want to do that?

I'm just trying to learn and in the process make my little iptables firewall as secure as possible -- even though I doubt anyone will ever try this attack on me ;-)

Thoughts?

Reply to
BlackHole
Loading thread data ...

Yes (depending on your packet filter, that is).

No.

No.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cool, well theres one more defense added to my arsenal of iptables rules ;-)

Thanks

Reply to
BlackHole

you could well try to only allow TCP packets which certain flags and drop the rest instead of the opposite :D

Reply to
goarilla

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.