[4138] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (nelson@crynwr.com)
Thu Aug 22 03:14:09 1996
Date: 22 Aug 1996 06:28:55 -0000
From: nelson@crynwr.com
To: Speed Racer <shagboy@dns.bluesky.net>
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.SUN.3.95.960822021516.26024A-100000@dns.bluesky.net>
Speed Racer writes:
> On 22 Aug 1996 nelson@crynwr.com wrote:
>
> > > I say again, I think it's up to the individual ISP to watch out for
> > > themselves - if they are getting SYN-flooded, make a few phone
> > > calls or send a nasty letter to the attacker's provider.
> >
> > Which is???? If the source IP address is being faked, you have NO
> > FUCKING CLUE who's sending the packets to you. The only way to find
> > out is to examine the traffic through each router, hop by hop, that
> > the packets take to get to you.
>
> Then attempt to trace it back.
HOW? "tracing it back" assumes that RMON capability exists on each
routed network. It doesn't.
> If you can't get back in a "reasonable" amount of time, drop the
> connection & assume it's spoofed. You could also try to reverse
> DNS the IP - if you can't get a name back, assume it's spoofed.
There are WAY too many hosts that have no reverse mapping.
> > Maybe some major router vendor (whoever THAT might be) needs to put in
> > code that recognizes an abnormally large number of SYN packets, and
> > sends a new ICMP packet to the destination IP address, saying
> > "excessive SYNs seen".
>
> I have an even better idea - rather than rely on the vendors, let's put it
> in the Linux IP code. (I do agree with you that the vendors SHOULD do
> that, but I don't really think they're going to)
Linux is not used as a router by too many people.
-russ <nelson@crynwr.com> http://www.crynwr.com/~nelson
Crynwr Software sells packet driver support | PGP ok
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Corporations persuade;
Potsdam, NY 13676 | +1 315 268 9201 FAX | governments coerce.
