[4303] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: SYN floods continue

daemon@ATHENA.MIT.EDU (Vadim Antonov)
Wed Sep 11 15:44:44 1996

Date: Wed, 11 Sep 1996 12:33:02 -0700
From: Vadim Antonov <avg@quake.net>
To: alex@relcom.EU.net, jon@branch.com, jtk@nap.net
Cc: alexis@panix.com, nanog@merit.edu

Alex Rudnev wrote:

Hi, Alex!

>BTW. Some time ago (when we used PC based routers and had all sources) we
>discussed the same problem. One of the best solutions to prevent many kinds of
>hacker's weapons is to allow customer send packets with SRC address ONLY
>if this (SRC) address have routing via the same interface. This control is possible
>only for one-homed customer but is effective enougph to prevent TCP spoofing,
>many SYN, PING, UDP etc attacks and does allow ISP to determine the source of
>any internet attack.

I stated many times that it would be desireable default behaviour for
routers to never accept packets with source addresses for which it
doesn't have route back thru the same interface.

That prohibits IP src spoofing (and asymmetrical paths).  When asymmetrical
routing is what it desired that safeguard could be disabled on per-interface
basis.

In most networks asymmetrical routing is an indication of a bug in
an IGP configuration, so early detection of the configuration problems
would be an additional benefit.

--vadim

home help back first fref pref prev next nref lref last post