[4141] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (nelson@crynwr.com)
Thu Aug 22 03:15:06 1996
Date: 22 Aug 1996 05:56:45 -0000
From: nelson@crynwr.com
To: shagboy@bluesky.net
Cc: Alan Cox <alan@cymru.net>, Lefty <lefty@sliderule.geek.org.uk>,
linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.960822002000.133G-100000@cirrus.bluesky.net>
Racer X. writes:
> I say again, I think it's up to the individual ISP to watch out for
> themselves - if they are getting SYN-flooded, make a few phone
> calls or send a nasty letter to the attacker's provider.
Which is???? If the source IP address is being faked, you have NO
FUCKING CLUE who's sending the packets to you. The only way to find
out is to examine the traffic through each router, hop by hop, that
the packets take to get to you.
Maybe some major router vendor (whoever THAT might be) needs to put in
code that recognizes an abnormally large number of SYN packets, and
sends a new ICMP packet to the destination IP address, saying
"excessive SYNs seen".
-russ <nelson@crynwr.com> http://www.crynwr.com/~nelson
Crynwr Software sells packet driver support | PGP ok
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Corporations persuade;
Potsdam, NY 13676 | +1 315 268 9201 FAX | governments coerce.
