[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: source limit
On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote:
> ipfw limit option is easy be DoS.
> for example: ipfw add tcp from any to 80 limit 1000
We're talking about src-addr, which enforces a limit per rule/source ip.
It is only DOSable for the TCP protocol if you can spoof IP addresses
and reliably predict TCP ISNs. There are a lot of arguments against this
kind of limit, but per rule/source ip pairs are at least less DOSable than
plain per rule limits.
Or through a DDOS, but a firewall rule can hardly protect against this.
__ /*- Frank DENIS (Jedi/Sector One) <[email protected]> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/