[12941] in North American Network Operators' Group
Re: Syn flooding attacks
daemon@ATHENA.MIT.EDU (Joe Shaw)
Mon Oct 20 16:33:03 1997
Date: Mon, 20 Oct 1997 15:09:24 -0500 (CDT)
From: Joe Shaw <jshaw@insync.net>
To: Vern Paxson <vern@ee.lbl.gov>
cc: Phil Howard <phil@charon.milepost.com>,
Paulo Maffei <paulo@br.global-one.net>, nanog@merit.edu
In-Reply-To: <199710201808.LAA17216@daffy.ee.lbl.gov>
On Mon, 20 Oct 1997, Vern Paxson wrote:
> > The router could discard the SYN, remembering it, and let pass the retry SYN
> > that usually occurs with valid connections and does not with invalid ones.
>
> This is no good - all the crackers have to do is modify their programs
> to send two bogus SYNs, spaced apart, instead of just one.
Don't most SYN flood programs just send a constant stream of SYNs to the
specified machine/port? The one I have for testing does that. So,
sequential requests would get around this, no matter how many SYNs you
were looking for. I think the best protection against SYN flooding is in
the Kernel level of the OS. If you see a massive amount of SYN request
coming in on one port from one machine or many, then you start applying
cookies for those connections and decrease the hold time before you start
dropping the connections due to un-answered SYN-ACKs. Don't most
operating systems now support this feature (Win95 excluded)?
Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
