[4295] in North American Network Operators' Group
Re: SYN floods continueg
daemon@ATHENA.MIT.EDU (Avi Freedman)
Wed Sep 11 13:12:52 1996
From: Avi Freedman <freedman@netaxs.com>
To: michael@memra.com (Michael Dillon)
Date: Wed, 11 Sep 1996 13:08:28 -0400 (EDT)
Cc: alexis@panix.com, nanog@merit.edu
In-Reply-To: <Pine.BSI.3.93.960911094321.19370D-100000@sidhe.memra.com> from "Michael Dillon" at Sep 11, 96 09:44:05 am
> On Wed, 11 Sep 1996, Alexis Rosen wrote:
>
> > Anyway. Point is this: We can't take too much more of this, nor can our
> > customers. I have yet to hear *anyone* come up with any ideas even remotely
> > reasonable for how to deal with this situation, long term, except for the
> > filtering that Avi, Perry, and I have been promoting these last few days.
> >
> > Whether or not existing equipment can handle the job is *IRRELEVANT*. If
> > it won't, new equipment must be bought. The net won't survive without it.
>
> Did you ever track down the source of the attacks? If not, why not?
>
> Michael Dillon - ISP & Internet Consulting
Without saying too much, I think I can say tat the attacks did go on for hours
a few times, but stopped before too much tracing could be done.
Initially I thought Panix was being attacked by a random attacker; Voicenet
in Philadelphia was attacked for almost a day on their mail ports, and another
provider in Philly was attacked for 4-6 hours on news ports (pretty
ineffective). But Panix has been attacked a few times now.
I've actually got a kernel built for sun4c that is pretty good/resistant,
but only to the attacks I can *think of*. I and panix are trying to get it
working on sun4m.
Bottom line, it would be good if everyone who could would filter incoming
on customers or outgoing on borders. While you're at it, if your network
is relatively simple (compared to, say, MCI's or UUNET's or Sprint's), you
might want to filter incoming on borders at exchange points to prevent others
from using you for transit.
Avi