[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ability to withstand well known attacks

To: ericb@digitaljunkyard.net
Subject: Re: Ability to withstand well known attacks
From: Dan Hollis <goemon@anime.net>
Date: Tue, 22 Jul 2003 12:52:40 -0700 (PDT)
Cc: opsec@ops.ietf.org
In-reply-to: <gu97k6anybs.fsf@rivendell.digitaljunkyard.net>

On 22 Jul 2003 ericb@digitaljunkyard.net wrote:
> Syncookies have their own problems (the "immaculate connection"*), and
> rely on good cryptographically strong random numbers, which are not
> always available on embedded devices.

If you dont have good crypto strong random numbers, you probably shouldnt 
be speaking tcp in the first place... immaculate connection would be the 
least of your worries.

There are *always* sources of entropy to seed prng's. Turning the device 
on and off is one.

Perhaps a strong prng could be part of the opsec requirement?

> Another acceptable solution is line rate ACLs for traffic TO the
> device (as opposed to THROUGH the device).  Your 768k SYN flood just
> would not make it to the TCP server.

Performance impact though...

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Follow-Ups:
- Re: Ability to withstand well known attacks
  - From: ericb@digitaljunkyard.net

References:
- Re: Ability to withstand well known attacks
  - From: ericb@digitaljunkyard.net

Prev by Date: RE: Ability to withstand well known attacks
Next by Date: Re: Ability to withstand well known attacks
Previous by thread: Re: Ability to withstand well known attacks
Next by thread: Re: Ability to withstand well known attacks
Index(es):
- Date
- Thread