[4137] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Speed Racer)
Thu Aug 22 03:14:07 1996
Date: Thu, 22 Aug 1996 02:20:44 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: nelson@crynwr.com
cc: linux-net@vger.rutgers.edu
In-Reply-To: <19960822055645.317.qmail@ns.crynwr.com>
On 22 Aug 1996 nelson@crynwr.com wrote:
> > I say again, I think it's up to the individual ISP to watch out for
> > themselves - if they are getting SYN-flooded, make a few phone
> > calls or send a nasty letter to the attacker's provider.
>
> Which is???? If the source IP address is being faked, you have NO
> FUCKING CLUE who's sending the packets to you. The only way to find
> out is to examine the traffic through each router, hop by hop, that
> the packets take to get to you.
Then attempt to trace it back. If you can't get back in a "reasonable"
amount of time, drop the connection & assume it's spoofed. You could also
try to reverse DNS the IP - if you can't get a name back, assume it's
spoofed.
> Maybe some major router vendor (whoever THAT might be) needs to put in
> code that recognizes an abnormally large number of SYN packets, and
> sends a new ICMP packet to the destination IP address, saying
> "excessive SYNs seen".
I have an even better idea - rather than rely on the vendors, let's put it
in the Linux IP code. (I do agree with you that the vendors SHOULD do
that, but I don't really think they're going to)
shag
Judd Bourgeois | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key | not hereditary. Thomas Paine
