[4222] in North American Network Operators' Group
Re: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Sep 9 13:59:17 1996
To: nanog@merit.edu
In-reply-to: Your message of "Mon, 09 Sep 1996 12:47:13 EDT."
<199609091647.MAA01458@tomservo.mindspring.com>
Reply-To: perry@piermont.com
Date: Mon, 09 Sep 1996 13:19:02 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Re: SYN floods
PANIX, a large public access provider in New York, was badly hit with
SYN flood attacks from random source addresses over the last few
days. It nearly wrecked them.
I think its time for the larger providers to start filtering packets
coming from customers so that they only accept packets with the
customer's network number on it.
Yes, its a load on routers. Yes, its nasty for the mobile IP weenies.
Unfortunately, the only known way to stop this. Many TCPs go belly up
as soon as they get SYN flooded -- its a defect in the protocol
design, and other than Karn style anti-clogging tokens ("cookies")
being put into a TCP++ and mass implemented worldwide soon, the only
reasonable way to stop this sort of terrorism is provider filtering.
Perry
