Firewall Wizards mailing list archives

Re: TCP syncookies - firewall or host?

From: Florin Andrei <florin () andrei myip org>
Date: Tue, 03 Apr 2007 14:43:26 -0700

Florin Andrei wrote:


This sounds like a job for the firewall, but on the other hand all those 
servers are very fast, there's a lot of them, and usually they're mostly 
idle. So I'm very tempted to dump that task on the servers.


OTOH, if I let the servers deal with it, wouldn't that fill up resources 
on the firewall real quick during an attack? So in that case, syncookies 
at the firewall level would be better.

I will do some tests to trigger some issues that might occur in real 
life and see how each piece of equipment handles that, but until then 
I'd like to get a second opinion, so that's why I'm asking.

-- 
Florin Andrei

http://florin.myip.org/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

TCP syncookies - firewall or host? Florin Andrei (Apr 03)
- Re: TCP syncookies - firewall or host? Florin Andrei (Apr 03)
- Firewall surveyquestion Steve orca (Apr 03)
- <Possible follow-ups>
- Re: TCP syncookies - firewall or host? rgolodner (Apr 05)
- TCP syncookies - firewall or host? chris mr (Apr 09)