Martijn Lievaart wrote:
> Ric Messier wrote:
>> Bgs writes:
>>
>>> Some more info about the attack: All IPs were
real IPs otherway the tcp
>>> handshake wouldn't have made it. The attacker
IPs were also consistent.
>>> They also new about the blocked IPs as after a
new bunch of blocked IPs
>>> we fared OK then they added another bunch new
IPs... we played this for
>>> quite some time...
>>>
>>> All connections were in the ESTABLISHED state.
>>>
>>>
>>
>> Then your original description was incorrect or at
least inadequate.
>> It has
>> nothing to do with SYN as originally suggested
since an ESTABLISHED
>> connection has blown past SYN, through SYN/ACK and
by ACK. It has
>> completed
>> the TCP handshake, as you note above. A SYN
attack/flood would stop
>> after
>> sending the initial SYN and leave the connection
half-open to exhaust
>> the
>> half-open buffers.
>>
>
> An connection is in the ESTABLISHED state once a packet
has been seen.
> So once the SYN is seen, the state is ESTABLISHED.
>
Ah scratch that. You're talking about open connections, not
ipfilter
state matching.
M4
|
