John Bashinski wrote: | > Well IPSec provides for authentication of endpoints which would | > identify the syn attacker. | | Only if the attacker were so stupid as to put in valid authentication | data identifying herself. | | I think IPSEC would allow you to throw away the SYNs without processing | them and without putting anything in your incoming connection queue. On the | other hand, you'd have to do all the authentication protocol and | computation for each packet in order to determine that it was bogus. I can | see where that could lead to a still worse denial-of-service attack if your | IPSEC code wasn't properly written. This is not correct. IPsec requires key negotiation, which takes place as or after a connection starts. (Photuris has a system where a new connection requires a cookie be traded before any expensive works gets done. It does not avoid all work.) Peter DaSilva, in a posting to firewalls, suggested that routers turn on record route on packets with SYN set. My initial reaction, that the core doesn't have the CPU, and the leafs will never deploy, turns out to be wrong; the big providers can make it a condition of connecting to them that this be done, and the problem of non-existant return addresses substantially diminishes as soon as cisco releases the software. The core routers don't change, since they are busy; the leafs do, since they need to connect to the core. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume