[4340] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: SYN floods - possible solution? (fwd)

daemon@ATHENA.MIT.EDU (Michael Dillon)
Fri Sep 13 02:37:43 1996

Date: Thu, 12 Sep 1996 23:32:45 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: nanog@merit.edu


Now here is something that could be used by sites to protect against SYN
flood attacke assuming that they can build a special custom box with
enough RAM to buffer the sockets for 30 seconds or more. How high a rate
can SYN floods come in at? I've heard of 1,000 per sec which implies that
this box needs to hold open 30,000 to 75,000 potential sockets. Is there
any problem within IPv4 (seq #'s?) that would make this inherently
impossible?

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael@memra.com

---------- Forwarded message ----------
Date: Fri, 13 Sep 1996 01:36:54 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
To: firewall-1@applicom.co.il
Cc: firewalls@GreatCircle.COM
Subject: Re: SYN floods - possible solution?

On Thu, 12 Sep 1996, Blast wrote:
> This problem has kept me awake more than coffee. :-)

Ditto... I just woke up *again* with a kludgy but potential defense...
sorry if this is totally out of whack, but I'm really beat!

Ok.  say you have a firewall between your network and you Internet
connection.  If that firewall could detect and *detain* a segment with the
SYN option set, then see if the set source IP answers an ICMP echo
request, we could effectively determine whether or not the SYN could be
dropped at the firewall and not sent through to spam our hosts.  If the
source responds, release the SYN and let it pass through to the intended
host.  If it does not, trash the SYN and log the failure.

Some moderate tracking and aging methods could be employed to
intelligently quick drop sources we know are recently offline, and lessen
the amount of echo requests we send out. 

Could this be a potential defense?  If so, what products would be best
suited to implement this?

hope this helps,
-r

Roderick Murchison, Jr.                      murchiso@vivid.newbridge.com
Newbridge Networks, Inc.                     office: (703) 708-5930
Product Manager - VIVID ACS                     fax: (703) 708-5937
Herndon, VA 22070-5241                       http://www.vivid.newbridge.com





home help back first fref pref prev next nref lref last post