[4350] in North American Network Operators' Group
Re: SYN floods - possible solution? (fwd)
daemon@ATHENA.MIT.EDU (alex@relcom.EU.net)
Fri Sep 13 11:42:22 1996
Date: Fri, 13 Sep 96 19:19:48 +0400
To: jhall@rex.isdn.net, michael@memra.com
Cc: nanog@merit.edu
From: alex@relcom.EU.net
... and other discussion about <<they are updating phasers and
we are building new shields>>...
Please, note one important issue. You can protect you server from SYN attack, you
can protect it against spoofing, etc... But IF customer (cracker) will be allowed
to send packets with the ANY SRC address into the whole network, he (cracker)
will have always 1,000 different ways of cracking the Internet. He can send
DNS request with YOUR src address, he can send SYN's, he can send ICMP UNREACHABLE
and any other packets. The only shield you can use this case is _your pipe
is larger then him one_. But if there is any way to cause some server
to send 10 packets on 1 requesting UDP packet - that's all...
The ONLY way of preventing this attacks is SRC CONTROL you must have on
the boundaries with the customers. IP provider have to control customers STRICTLY.
One way to do it is _to check routing of SRC address_. Then (in this check) different
criterias of filtering can be used. The easiest is _back routing have to be the same
as direct routing_; another is _SRC from interface0 can't be routed to interface2_,
etc...
But anyway, this (by SRC) filtering is the only way of creating good shield.
---
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)