[4229] in North American Network Operators' Group
Re[2]: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Pat Calhoun)
Mon Sep 9 14:49:12 1996
Date: Mon, 9 Sep 1996 13:19:18 -0500
From: pcalhoun@usr.com (Pat Calhoun)
To: nanog@merit.edu, "Perry E. Metzger" <perry@piermont.com>
This is a Mime message, which your current mail reader
may not understand. Parts of the message will appear as
text. To process the remainder, you will need to use a Mime
compatible mail reader. Contact your vendor for details.
--IMA.Boundary.388702248
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Perry,
This is actually quite simple to implement on Dial Access Routers,
and obviously this is the best place to add the filtering.
Pat R. Calhoun e-mail: pcalhoun@usr.com
Project Engineer - Lan Access R&D phone: (847) 933-5181
US Robotics Access Corp.
______________________________ Reply Separator _________________________________
Subject: Re: SYN floods (was: does history repeat itself?)
Author: "Perry E. Metzger" <perry@piermont.com> at Internet
Date: 9/9/96 1:19 PM
Re: SYN floods
PANIX, a large public access provider in New York, was badly hit with
SYN flood attacks from random source addresses over the last few
days. It nearly wrecked them.
I think its time for the larger providers to start filtering packets
coming from customers so that they only accept packets with the
customer's network number on it.
Yes, its a load on routers. Yes, its nasty for the mobile IP weenies.
Unfortunately, the only known way to stop this. Many TCPs go belly up
as soon as they get SYN flooded -- its a defect in the protocol
design, and other than Karn style anti-clogging tokens ("cookies")
being put into a TCP++ and mass implemented worldwide soon, the only
reasonable way to stop this sort of terrorism is provider filtering.
Perry
--IMA.Boundary.388702248
Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers"
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Content-Disposition: attachment; filename="RFC822 message headers"
Received: from usr.com (mailgate.usr.com) by robogate2.usr.com with SMTP
(IMA Internet Exchange 2.02 Enterprise) id 233028F0; Sun, 8 Sep 96 12:29:51
-0500
Received: from merit.edu by usr.com (8.7.5/3.1.090690-US Robotics)
id MAA17658; Mon, 9 Sep 1996 12:33:14 -0500 (CDT)
Received: from localhost (daemon@localhost) by merit.edu (8.7.5/merit-2.0) with
SMTP id NAA17064; Mon, 9 Sep 1996 13:20:33 -0400 (EDT)
Received: by merit.edu (bulk_mailer v1.5); Mon, 9 Sep 1996 13:19:08 -0400
Received: (from daemon@localhost) by merit.edu (8.7.5/merit-2.0) id NAA16987 for
nanog-outgoing; Mon, 9 Sep 1996 13:19:08 -0400 (EDT)
Received: from jekyll.piermont.com (jekyll.piermont.com [206.1.51.15]) by
merit.edu (8.7.5/merit-2.0) with ESMTP id NAA16982 for <nanog@merit.edu>; Mon, 9
Sep 1996 13:19:05 -0400 (EDT)
Received: from localhost (perry@localhost) by jekyll.piermont.com (8.7.5/8.6.12)
with SMTP id NAA24855 for <nanog@merit.edu>; Mon, 9 Sep 1996 13:19:02 -0400
(EDT)
Message-Id: <199609091719.NAA24855@jekyll.piermont.com>
X-Authentication-Warning: jekyll.piermont.com: Host perry@localhost didn't use
HELO protocol
To: nanog@merit.edu
Subject: Re: SYN floods (was: does history repeat itself?)
In-reply-to: Your message of "Mon, 09 Sep 1996 12:47:13 EDT."
<199609091647.MAA01458@tomservo.mindspring.com>
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Mon, 09 Sep 1996 13:19:02 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: owner-nanog@merit.edu
--IMA.Boundary.388702248--
