Am I being Dos'd?

[The_Captain]

A follow-up question. Would this not also make it hard for a legitimate request from coming in? Wouldn't the 500 be busy dealing with the bogus requests that the legitime user be missed, or just receive a slow response?

The CBAC that he mentioned does give a small performance hit on any router. This is just due to the fact that you're doing all your processing in software and the more you do the more you slow your router (Routers are not specifically designed as a firewall, but do a good enough job, sometimes).

This type of attack would not noticably hurt even the CBAC system, but this is because of the way traffic is handled by any gateway device (the old name for a firewall). See traffic is not automatically allowed into your network, in fact traffic that does adhere to your specific set of rules (or your access lists) does not even get the curtosy of being examined further or fowarded, it is simply dropped.

To the question of legitimate traffic, well that's defined two ways. Either by your rules that I just mentioned, or by dynamically created access lists that are created as a packet leaves and only remain open for a specific time frame. These (very simplified) work something like this: (forgive me if I don't want to build a real packet, that would require opening an old college book)

sender's IP :to: destination IP :using: port number

The router will only allow something to come back in that looks like

destination IP :to: sender IP :using: (port number expected by router)


So what I'm trying to say is that properly configured gateway devices do not suffer in the event of most dos, ddos or syn attacks as they do not suffer the attackers (yes, it's a play on words).