[4114] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Alex.Bligh)
Tue Aug 20 15:36:36 1996
To: lefty@sliderule.geek.org.uk (Lefty)
cc: alan@cymru.net, linux-net@vger.rutgers.edu, nelson@crynwr.com
In-reply-to: Your message of "Tue, 20 Aug 1996 16:23:51 GMT."
<199608201623.QAA11776@sliderule.geek.org.uk>
Date: Tue, 20 Aug 1996 18:44:47 +0100
From: "Alex.Bligh" <amb@xara.net>
> > Its up to ISP's to filter addresses coming FROM their network which are
> > not their own addresses. I would dearly like the big providers to write
> > that into their acceptable use policy as a requirement. These problems
> > have to be stopped _at_source_, and the random clueless provider is a
> > hazard to all otherwise. We don't allow people to run telephone companies
> > without showing some degree of sense so they wont upset the existing
> > infrastructure, so why do we allow ISP's to get away with it to the bad
> > suffering of other ISPs ?
>
> Because ANYONE with a couple thousand can set up an ISP..
Where do they get their feed from though? Filtering on source
only becomes administratively difficult at the point where the
customer (whoever upstream/downstream they are) can generate their
own BGP adverts. IE if a small ISP takes a feed from a large ISP
and that small ISP cannot arbitrarilly route new IP addresses
without the upstream manually configuring the router, then as
part of that manual configuration they can update the source
filtering too.
The idea has been suggested (for instance on NANOG) that one
might automate source filtering and source tracing. The former
is problematic - for instance to source filter by inbound BGP
advert has problems if routing is intentionally asymmetric.
The latter is quite interesting. It was a suggestion for an
RFC for a protocol which worked on the principle of working back
from an 'attacked' host through the routers on the way asking
each router 'where are you seeing traffic with a source address
of w.x.y.z coming in', and if it did see traffic through one
i/f, broadcasting the same packet up to upstream routers. Each
router on the way reports back to the original host which
builds up a map of where the traffic is coming from. Obviously
certain people might chose to turn this off. But then they
might well be treated as suspect.
Funnily enough this idea came about on NANOG as an attempt
to halt source spoofed denial of service attacks.
Alex Bligh
Xara Networks
