[4426] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Craig A. Huegen)
Mon Sep 16 21:37:23 1996
Date: Mon, 16 Sep 1996 18:32:34 -0700 (PDT)
From: "Craig A. Huegen" <c-huegen@quad.quadrunner.com>
To: Tim Bass <bass@cactus.silkroad.com>
cc: "Kent W. England" <kwe@6SigmaNets.com>, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199609162346.TAA01878@cactus.silkroad.com>
On Mon, 16 Sep 1996, Tim Bass wrote:
==>Show me the topology, the router configurations of the gateways,
==>and the format of the denial-of-service attack packets and I'll
==>be surprised if I can't devise a scheme to stop it, even if
==>the attacker changes source addresses frequently (and I'm
==>happy to do it).
Okay, here you go... come up with a plan.
I have a machine, X. It is directly off FastEthernet 1/1 of my 7513, Y.
My net connection is a T1, off Serial0/0 of Y, to my provider's router, Z.
X is 172.30.15.5/28, Y's Fast1/1 is 172.30.15.1/28, Y's Serial0/0 is
192.168.1.2/30, and Z's serial interface to me is 192.168.1.1/30.
Configuration is standard, only access list on my router is an outbound
access-list filtering my source addresses to make sure only
packets with sources of 172.30.0.0/16 get out. It's applied in this
fashion:
access-list 115 permit ip 172.30.0.0 0.0.255.255 any
access-list 115 deny ip any any log
interface Serial0/0
ip access-group 115 out
The SYN flood coming towards my host X looks like this, at approximately
2,000 PPS:
182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN
19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN
93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN
[... on and on ...]
Tell me how to filter this.
/cah
