[4390] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: SYN Flooding [info] (fwd)

daemon@ATHENA.MIT.EDU (Avi Freedman)
Sat Sep 14 22:02:09 1996

From: Avi Freedman <freedman@netaxs.com>
To: michael@memra.com (Michael Dillon)
Date: Sat, 14 Sep 1996 22:00:45 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.BSI.3.93.960913203314.19498H-100000@sidhe.memra.com> from "Michael Dillon" at Sep 13, 96 08:33:46 pm

> The attack is on!  Both 2600 and Phrack, 2 of the biggest well-known
> underground hacking magazines, have posted exploit code to do one of the
> nastiest denial of service attacks that the Internet has seen so far. 
> Hundreds of people have access to these programs to bring down services on
> the Internet.  Many of these people are targeting their attacks at various
> organizations such as ISP.  Panix, an ISP, has been under attack for quite
> a few days now and they have not been able to receive email. Many other

The reporting on these events has sucked big-time.
Panix couldn't receive mail for two multiple-hour periods.
After that, telnet and web ports were attacked.
We're not going to talk about implementations, but some solutions have
been implemented.

Alexis feels that it's very important to get wide press coverage, to
help to force ISPs/NSPs to filter outbound crap from their network.
I agree that everyone from the small to the large regional should do
this.

> Another way to fix this is to set the kernel maximum number of half open
> connections allowed (SO_MAXCONN) to a higher number than the default value.

Or eliminate it; a Sparc 1+ has been able to handle over 1000 syns/sec 
while still serving w/ no SO_MAXCONN (the test eliminated in the kernel)
and with the SYN timeout set to 7 seconds (a bit aggressive, we may use
15 seconds when we put these patches in permanently tomorrow).

> We have a tool that will look for SYN packets that do not get followed with
> ACK and clean the half open connections by sending a RST packet.  This 
> unclogs the port and allows legitimate connections to happen.  This tool
> is called RealSecure (tm).  To obtain a copy of the RealSecure tool,
> send email to majordomo@Iss.net and within the body of the message, type: 
> 
> 	subscribe realsecure
> 
> RealSecure (tm) is a comprehensive attack recognition and real time response
> tool that ISS is alpha testing and will expire in 60 days.

This sounds very good...
Maybe someone will even post a free, limited-function one as goodwill.

> -- 
> Christopher William Klaus	     Voice: (770)395-0150. Fax: (770)395-1972
> Internet Security Systems, Inc.                        "Internet Scanner finds
> Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes
> Web: http://www.iss.net/  Email: cklaus@iss.net        before the hackers do."

Avi

home help back first fref pref prev next nref lref last post