|
Hi,
My conception is, human usually do not eshtablish SYN connection as more as
Nimda or other worms, if I can determine a threshold of simultenious SYN
connection that nimda usually creates, probably I will be able to drop packets
from specific source IP which meet the threshold. There is chance of false
positive - I agree.
If you can _really_ figure out a metric for mutually exclusive TCP/SYN patterns
generated by existing worms and write it down in a mathematical formula which
has lower false positive rate than any TCP/QoS "defense" mechanism using
stochastic (timed) fairness approach I think you will not need to worry about
money anymore in future. In fact a lot of very influencing people in the
Internet business might feel the sudden urge to talk to you! ;)
Best regards and please don't let me be in your way,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
