[4386] in North American Network Operators' Group
Re: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Mr. Jeremy Hall)
Sat Sep 14 16:56:41 1996
From: "Mr. Jeremy Hall" <jhall@rex.isdn.net>
To: alex@relcom.eu.net
Date: Sat, 14 Sep 1996 15:52:53 -0500 (CDT)
Cc: curtis@ans.net, nanog@merit.edu, perry@piermont.com
In-Reply-To: <ACdffEoirI@arch.relcom.ru> from "alex@relcom.eu.net" at Sep 14, 96 03:43:35 pm
-->> Traffic is already slow enough when a router is unstable because it may
-->> not know how to get to the destination, but if you throw in the
-->> requirement that it has to know how to get to the source as well, didn't
-->> you just help the hacker by shutting down service for lots of people?
-->How? I can't understand how this helps the hackers.
-->
-->Through you are right in case of Universities (and it's not secret just universities
-->are the motherland of the hackers -:)).
-->---
In order for your idea to work, the router where you're doing the
filtering must know how to get to all destinations on the Internet, must
not have a default network or route, and they must be symetrical.
As far as your other statement, when an instability occurs, all traffic
starts getting slow because the routers are trying to reroute around a
flapping t3 or whatever caused the outage. Since the whole point around a
denial of service attack is to deny service, by adding in the fact that
we need to know how to get to the source address before we forward the
packet introduces more problems. I think you would find this hurts more
than it helps. Even if you limit this kind of lookups to when the packet
happens to be a TCP packet with the syn option, you still have a problem
in establishing a connection. This creates frustration on the part of the
end user.
--
-------------------------------------------
| Jeremy Hall Network Engineer |
| ISDN-Net, Inc Office +1-615-371-1625 |
| Nashville, TN and the southeast USA |
| jhall@isdn.net Pager +1-615-702-0750 |
-------------------------------------------