[4353] in North American Network Operators' Group
Re: SYN floods continue
daemon@ATHENA.MIT.EDU (Jim Forster)
Fri Sep 13 12:21:40 1996
To: Vadim Antonov <avg@quake.net>
cc: alexis@panix.com, nanog@merit.edu, dino@cisco.com, dkatz@cisco.com,
dkerr@cisco.com, gchristy@cisco.com
In-reply-to: Your message of "Wed, 11 Sep 1996 15:12:48 PDT."
<199609112212.PAA00679@quest.quake.net>
Date: Fri, 13 Sep 1996 09:17:59 -0700
From: Jim Forster <forster@cisco.com>
> Again, the rule is "dont accept packets from an interface if there's no
> route for their source addresses pointing back to the same interface".
> Note that that route does not have to be the best one -- just that the
> router gets it from somewhere.
Without discussing it with the right folks here ahead of time, I suspect we
could do this at good speed in some, but not all routers, in our product
line. The solution I have in mind would not be suitable for some places in
the net. We'd put the extra checks in the slow path which Curtis hates so
much, and then use our 'flow-switching' cache, which is keyed by src/dest
adresses & ports. So packets which fail the source address scrutiny in the
slow path aren't put in the flow-switching cache. I can't recall if we
cache negatives there, but in any event apparently the attacks involve SYN
flows on the order of 100's of PPS, which might go through the slow path
OK. BTW, I believe the criterion Vadim suggest is similar to that used in
RPF Multicast flooding.
Now the big question: is this useful in routers carrying a default route?
-- Jim