Closing off tcp
Doug Barton
DougB at DougBarton.net
Wed Jan 9 21:59:28 UTC 2002
On Wed, 9 Jan 2002, Simon Waters wrote:
>
> Doug Barton wrote:
> >
> > Comments, suggestions, etc. welcome,
>
> The standards say it should be listening and answering - why do
> they want to break the standards?
The stated goal is to reduce our syn flood profile, and reduce
vulnerability to root exploits. I keep asking for examples of the latter,
and haven't gotten any yet.
> So many people break the standards that it doesn't usually cause
> major problems, but may confuse you poor successor when he adds
> another record and bang suddenly some users can't get anything
> to work. Or maybe you don't notice you've lost a percentage of
> your potential web business....
... which is deadly in my area. Not to mention the customer care
calls when e-mail fails for no apparent reasons..... *sigh*
> SYN flooding shouldn't be a major problem if your firewalled, or
> your kernel has defences, besides if a decent hacker wants to
> DoS you, I dare say simply flooding the bandwidth, or DNS server
> will do the trick.
Yes, I made this exact point. We do have built in syn flood
protection at the OS level, and good cooperation at the b/w provider level
to deal with packet floods. At this point we've agreed to analyze the
traffic going to port 53 currently, and "take it from there."
Thanks for the responses,
Doug
--
"We will not tire, we will not falter, and we will not fail."
- George W. Bush, President of the United States
September 20, 2001
Do YOU Yahoo!?
More information about the bind-users
mailing list