[4424] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Avi Freedman)
Mon Sep 16 21:00:20 1996
From: Avi Freedman <freedman@netaxs.com>
To: michael@memra.com (Michael Dillon)
Date: Mon, 16 Sep 1996 20:53:57 -0400 (EDT)
Cc: nanog@merit.edu, iepg@iepg.org
In-Reply-To: <Pine.BSI.3.93.960916172553.3265L-100000@sidhe.memra.com> from "Michael Dillon" at Sep 16, 96 05:31:07 pm
> Have a look at the firewalls mailing list archive for more info
> http://www.greatcircle.com/firewalls/archive/firewalls.9609.Z
>
> There are at least three things you can do to protect yourself from such
> attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> of incomplete socket connections. One is to have another machine or your
> network issue RST's for sockets that it thinks are part of the SYN flood
I like this.
> attack. And one is to install a SYN proxy machine between your net and the
> Internet which catches all SYN packets and holds them until an ACK is
> received at which point the SYN and the ACK are passed on to your network.
I like this even more, but the potential for disaster if the box goes down
is just too huge...
> Such a proxy can be built to handle HUGE numbers of incomplete conections.
>
> Michael Dillon - ISP & Internet Consulting
Avi