[4227] in North American Network Operators' Group
Re: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Avi Freedman)
Mon Sep 9 14:37:48 1996
From: Avi Freedman <freedman@netaxs.com>
To: perry@piermont.com
Date: Mon, 9 Sep 1996 14:35:27 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <199609091743.NAA24950@jekyll.piermont.com> from "Perry E. Metzger" at Sep 9, 96 01:43:08 pm
> BTW, Alexis Rosen at Panix could use some help tracking down the
> person(s) attacking his machines -- he's more or less being shut down
> by this. He's having some trouble finding the right person at Sprint
> (one of his two providers) to talk to. If the right person could get
> in touch with me, I'll hook the two of you up.
>
> Hopefully, with a little inter-provider cooperation, the guy will get
> caught and arrested soon.
>
> Perry
I'll post more a bit later (the attack is under way now).
MCI was very cooperative, but Sprint said they didn't have time or
energy (even though Panix is a Sprint customer) to help to find out
where on Sprint's network the packets are entering. (Panix has a
t1 to MCI and a t1 to Sprintlink. In fact, Panix was Sprintlink's
first ISP customer, (used to be on sl-dc-1-s0)).
For a while, the attacker was using a constant seq # (though random ports
and src addresses). We hacked the kernel to filter out that seq # in
tcp input routines.
While how to fix kernels so they're not as vulnerable to huge syn storms
is not a NANOG topic, finding the <expletives deleted regretfully> who
do this is.
More later,
Avi
