[4290] in North American Network Operators' Group
Re[6]: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Pat Calhoun)
Wed Sep 11 11:31:08 1996
Date: Wed, 11 Sep 1996 09:38:11 -0500
From: pcalhoun@usr.com (Pat Calhoun)
To: "Alec H. Peterson" <chuckie@panix.com>
Cc: alexis@panix.com, nanog@merit.edu, perry@piermont.com
This is a Mime message, which your current mail reader
may not understand. Parts of the message will appear as
text. To process the remainder, you will need to use a Mime
compatible mail reader. Contact your vendor for details.
--IMA.Boundary.697863248
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Alec,
I agree but if the NAS has the ability of raising a flag if a
malicious user (done with the user of a filter at the edge) tried to
create havoc, it would make your life much easier in not only
tracking, but possibly taking legal action.
Pat R. Calhoun e-mail: pcalhoun@usr.com
Project Engineer - Lan Access R&D phone: (847) 933-5181
US Robotics Access Corp.
______________________________ Reply Separator _________________________________
Subject: Re: Re[4]: SYN floods (was: does history repeat itself?)
Author: "Alec H. Peterson" <chuckie@panix.com> at Internet
Date: 9/10/96 5:05 PM
Pat Calhoun writes:
>
> Alexis,
>
> However if you are filtering on your outbound router to the net,
> there is still the possbility that a malicious user could spoof
> addresses as long as they belong to your address space. By moving the
> filter out to the edge (when you have the equipment) this eliminates
> that problem as well.
This is true, but if it is a valid host, the invalid SYNs will do
nothing, because the source host will send a RST and the
almost-connection will be torn down. And if it isn't a valid host, it
will still be _much_ easier to track, because you know in general where
it's coming from.
Alec
--
+------------------------------------+--------------------------------------+
|Alec Peterson - chuckie@panix.com | Panix Public Access Internet and UNIX|
|Network Administrator/Architect | New York City, NY |
+------------------------------------+--------------------------------------+
--IMA.Boundary.697863248
Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers"
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Content-Disposition: attachment; filename="RFC822 message headers"
Received: from usr.com (mailgate.usr.com) by robogate2.usr.com with SMTP
(IMA Internet Exchange 2.02 Enterprise) id 23485B30; Mon, 9 Sep 96 16:01:39
-0500
Received: from panix2.panix.com by usr.com (8.7.5/3.1.090690-US Robotics)
id QAA23411; Tue, 10 Sep 1996 16:05:00 -0500 (CDT)
Received: (from chuckie@localhost) by panix2.panix.com (8.7.5/8.7/PanixU1.3) id
RAA20652; Tue, 10 Sep 1996 17:05:21 -0400 (EDT)
From: "Alec H. Peterson" <chuckie@panix.com>
Message-Id: <199609102105.RAA20652@panix2.panix.com>
Subject: Re: Re[4]: SYN floods (was: does history repeat itself?)
To: pcalhoun@usr.com (Pat Calhoun)
Date: Tue, 10 Sep 1996 17:05:21 -0400 (EDT)
Cc: alexis@panix.com, nanog@merit.edu, perry@piermont.com
In-Reply-To: <234661D0.3000@usr.com> from "Pat Calhoun" at Sep 10, 96 01:21:45
pm
X-Mailer: ELM [version 2.4 PL24 ME8b]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
--IMA.Boundary.697863248--