[4314] in North American Network Operators' Group
Re: SYN floods continue
daemon@ATHENA.MIT.EDU (Steven L. Johnson)
Thu Sep 12 00:09:34 1996
From: "Steven L. Johnson" <steve@barstool.com>
To: alexis@panix.com (Alexis Rosen)
Date: Thu, 12 Sep 1996 00:05:54 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <199609110958.FAA16558@panix.com> from "Alexis Rosen" at Sep 11, 96 05:58:02 am
> Anyway. Point is this: We can't take too much more of this, nor can our
> customers. I have yet to hear *anyone* come up with any ideas even remotely
> reasonable for how to deal with this situation, long term, except for the
> filtering that Avi, Perry, and I have been promoting these last few days.
If hardening all hosts against forged source address SYN attacks is not
feasible then perhaps providing a hardened device in front of server
farms is. How about something that spoofs the TCP connection setup,
uses minimal resources for unconfirmed TCP connections and perhaps more
aggressively times out these connections when under attack. Basically
this firewall would not forward a SYN packet to a server from an unknown
host until that host had properly ACKd a SYN ACK from the firewall. The
resulting connection would require that the firewall adjust seq/ack
numbers before forwarding the packets between the host and server as
the pseudo random seq number used in the initial SYN ACK from the firewall
to the host will be different from that proposed eventually by the server.
And it makes sequence guessing attacks much harder as well.
An idea?
-Steve