[4182] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Racer X)
Sun Aug 25 03:16:19 1996
Date: Fri, 23 Aug 1996 18:24:39 -0400 (EDT)
From: Racer X <shagboy@wspice.com>
Reply-To: shagboy@bluesky.net
To: nelson@crynwr.com
cc: linux-net@vger.rutgers.edu
In-Reply-To: <19960822062855.650.qmail@ns.crynwr.com>
On 22 Aug 1996 nelson@crynwr.com wrote:
> > If you can't get back in a "reasonable" amount of time, drop the
> > connection & assume it's spoofed. You could also try to reverse
> > DNS the IP - if you can't get a name back, assume it's spoofed.
>
> There are WAY too many hosts that have no reverse mapping.
Then that's THEIR problem. I couldn't connect to a good number of FTP
sites because they couldn't reverse my IP. I sent mail to my provider &
bugged them on the phone for a week, and they still didn't make the DNS
changes, so I switched providers.
Everyone SHOULD have a reverse DNS mapping. Period. Isn't there some RFC
somewhere that says all connected hosts' IP's should correspond to a name?
If you don't want to deny people that for some reason don't have a reverse
map, then you can still get some usefulness out of this idea - people who DO
have a reverse map can probably be considered a legitimate host and be
accepted right away.
> > > Maybe some major router vendor (whoever THAT might be) needs to put in
> > > code that recognizes an abnormally large number of SYN packets, and
> > > sends a new ICMP packet to the destination IP address, saying
> > > "excessive SYNs seen".
> >
> > I have an even better idea - rather than rely on the vendors, let's put it
> > in the Linux IP code. (I do agree with you that the vendors SHOULD do
> > that, but I don't really think they're going to)
>
> Linux is not used as a router by too many people.
It is, however, used as a web/mail/FTP/news/etc. server by a large and
growing number of ISP's. The SYN flood doesn't affect the router
adversely anyway (other than sending a bunch of packets across it); it
affects the machine on which those services are running.
Like I said, I agree that major vendors SHOULD put code into their
routers to deny this type of attack. But I'm going to be pragmatic and
assume they aren't going to anytime soon. In the meantime, since this
could be implemented on Linux, why not do it and see if it solves any
problems? I don't know the kernel code that well, but I'll lend whatever
help I can if anyone else is interested.
shag
Judd Bourgeois | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key | not hereditary. Thomas Paine
