[4406] in North American Network Operators' Group
Re[4]: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Pat Calhoun)
Mon Sep 16 08:49:39 1996
Date: Fri, 13 Sep 1996 15:49:45 -0500
From: pcalhoun@usr.com (Pat Calhoun)
To: "John G. Scudder" <jgs@ieng.com>, Joel Gallun <joel@wauug.erols.com>
Cc: curtis@ans.net, nanog@merit.edu
This is a Mime message, which your current mail reader
may not understand. Parts of the message will appear as
text. To process the remainder, you will need to use a Mime
compatible mail reader. Contact your vendor for details.
--IMA.Boundary.803778248
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Joel,
If I understand what you are stating is that the filtering which I
have described could work for dial-up users, but not for customers
which have a dedicated "leased" line into the network. You state that
this is not possible due to the CPU overhead that the filtering of
each packet creates.
Out of curiosity, what would the CPU usage be on a typical router
in your installation??? Also, do we know what the overhead is for a
single filter at the ingress on a router such as a Cisco???
Pat R. Calhoun e-mail: pcalhoun@usr.com
Project Engineer - Lan Access R&D phone: (847) 933-5181
US Robotics Access Corp.
______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: SYN floods (was: does history repeat itself?)
Author: Joel Gallun <joel@linux.wauug.org> at Internet
Date: 9/12/96 2:52 PM
What you propose is a Good Thing (tm), but I don't think it's sufficient.
It still doesn't protect the 'net from antisocial behavior perpetrated by
someone who has penetrated a system with dedicated access to the 'net. It
seems like it would still be necessary for anyone selling dedicated access
to install Good Neighboor (tm) anti-spoofing filters on their inbound
interfaces (which probably requires MIPS that the routers in the field
don't have).
Regards,
Joel
On Thu, 12 Sep 1996, John G. Scudder wrote:
> At 1:44 PM -0400 9/12/96, Curtis Villamizar wrote:
> >I agree with you completely -- sort of. Only problem is there are
> >thought to be some 3,000 dial access providers. Many of them barely
> >know what a TCP SYN is, let alone why they need to block ones with
> >random source addresses and how. Unless of course you are
> ^^^^^^^^^^^^^^^^^^^^^^^^
> >volunteering to explain it and help them. Thanks in advance. :-)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Curtis, this is a great point. USR and other NAS vendors are actually in a
> great position to do exactly this, by changing their boxes to block random
> addresses *by default* on dial-up ports. This is of course exactly the
> point Vadim and others keep making, and of course as they point out there
> ought to be a knob to disable it if desired.
>
> Insofar as guys who "barely know what a TCP SYN is" are unlikely to twist
> the knobs, defaulting filtering to "block spoofed addresses" seems like the
> best and maybe only way to get them to do it.
>
> How about it, USR &al?
>
> --John
>
> --
> John Scudder email: jgs@ieng.com
> Internet Engineering Group, LLC phone: (313) 669-8800
> 122 S. Main, Suite 280 fax: (313) 669-8661
> Ann Arbor, MI 41804 www: http://www.ieng.com
>
>
--IMA.Boundary.803778248
Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers"
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Content-Disposition: attachment; filename="RFC822 message headers"
Received: from usr.com (mailgate.usr.com) by robogate2.usr.com with SMTP
(IMA Internet Exchange 2.02 Enterprise) id 2385AC40; Thu, 12 Sep 96 13:47:32
-0500
Received: from wauug.erols.com by usr.com (8.7.5/3.1.090690-US Robotics)
id NAA19732; Thu, 12 Sep 1996 13:50:52 -0500 (CDT)
Received: from localhost (joel@localhost) by wauug.erols.com (8.7.6/8.7.3) with
SMTP id OAA09425; Thu, 12 Sep 1996 14:52:10 -0400
Date: Thu, 12 Sep 1996 14:52:10 -0400 (EDT)
From: Joel Gallun <joel@linux.wauug.org>
To: "John G. Scudder" <jgs@ieng.com>
cc: curtis@ans.net, Pat Calhoun <pcalhoun@usr.com>, nanog@merit.edu
Subject: Re: Re[2]: SYN floods (was: does history repeat itself?)
In-Reply-To: <v03007824ae5e06a40fbb@[198.108.88.23]>
Message-ID: <Pine.LNX.3.94.960912144757.5745D-100000@wauug.erols.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
--IMA.Boundary.803778248--
