Of course, all those attacks are well-known, and it's very much possible to defend against all but the bruteforce bandwidth exhaustion attack, launched from hosts that are completely not under one's control (which requires cooperation with upstream).

However, in 2005, most competently-written OSes implement SYN cookies or whatever they might choose to call it, which pretty much eliminates SYN floods, and the non-Microsoft ones are likely to disable broadcasts by default, which makes most of the attacks described infeasable.

Not bad, but rather basic. And as 'anonymous' remarked, OpenBSD can solve this for you. ;-)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1853/63#63