On Wed, 2003-09-03 at 13:21, Jason Dixon wrote: > On Wed, 2003-09-03 at 13:16, Benjamin J. Weiss wrote: > This is potentially a very bad idea, depending on the scenario. It's > trivial to spoof an innocent bystander's address, causing dynamic > blocking of those systems/networks. OpenBSD has a nice feature that has > been imported to -current that works nicely against attacks like these: > developers have added the ability to filter based on TCP SYN signature. > It only requires the capture of the initial SYN packet, comparing it > against a local list of known signatures. As you might imagine, it's > very effective at blocking initial connections from Windows hosts. ;-) > Ultimately, I think that the best idea is to make sure that Apache will continue to withstand the attacks.
signature.asc
Description: This is a digitally signed message part
