[4344] in North American Network Operators' Group
Re: SYN floods - possible solution? (fwd)
daemon@ATHENA.MIT.EDU (Michael Dillon)
Fri Sep 13 04:33:54 1996
Date: Fri, 13 Sep 1996 01:30:45 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: nanog@merit.edu
cc: freebsd-hackers@freebsd.org
In-Reply-To: <199609130820.EAA06157@panix.com>
On Fri, 13 Sep 1996, Alexis Rosen wrote:
> But... I still don't believe that this is a good global solution. Most ISPs
> can't cope with this. The clue level I've been seeing among many of the
> ISP "engineers" and "systems administrators" who have called in the last
> few days to ask for help ("is your problem happening to me too???") is
> astonishingly low. :-(
Tell me about it. But if this kind of solution could be packaged up in a
single box with two ethernet interfaces then a lot of less clueful ISP's
could easily install such a thing and protect their whole network. If the
box also provided default filters on source addresses that could help
solve another problem as well. The fear of attack may well be the force
which overcomes inertia here and gets more ISP's up to speed on these
issues just like AIDS brought the issues of safe sex to the forefront.
> I also have no clue what I'd choose to implement this on. It *could* be
> done in a unix kernel but that's probably a really *bad* choice. I'm sure
> plenty of people out there know some good possibilities, though.
Well, the advantage to using something like FreeBSD is that it is freely
available, well-documented, and eleigible for creating commercial products
as long as you check copyrights carefully. Most parts of FreeBSD have no
commercial use restrictions like GNU does.
And FreeBSD already has the basic functionality in it including support
for readily available hardware including 10baseT and 100baseTx and FDDI
interfaces. Building this kind of box would be mostly an excercise in
subtraction and it may well be possible to strip enough stuff out that it
can all be booted off a 1.44 megabyte diskette into a diskless 486 or
Pentium box with a RAMdisk.
At that point all an ISP needs to do is download a file, a disk writing
utility (RAWRITE.EXE) and assemble a box with certain standard components
like their choice of 3 types of network card as mentioned above. If the
box included ssh for the admin interface maybe it could create a precedent
for router manufacturers?
NOTE: I copied this one to freebsd-hackers
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com