[4430] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (George Herbert)
Mon Sep 16 21:54:36 1996
To: Tim Bass <bass@cactus.silkroad.com>
Cc: michael@memra.com (Michael Dillon), nanog@merit.edu, iepg@iepg.org,
gherbert@crl.com
In-Reply-To: Your message of "Mon, 16 Sep 1996 20:59:47 EDT."
<199609170059.UAA02222@cactus.silkroad.com>
Date: Mon, 16 Sep 1996 18:48:12 -0700
From: George Herbert <gherbert@crl.com>
Tim writes:
>> There are at least three things you can do to protect yourself from such
>> attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
>> of incomplete socket connections. One is to have another machine or your
>> network issue RST's for sockets that it thinks are part of the SYN flood
>> attack. And one is to install a SYN proxy machine between your net and the
>> Internet which catches all SYN packets and holds them until an ACK is
>> received at which point the SYN and the ACK are passed on to your network.
>> Such a proxy can be built to handle HUGE numbers of incomplete conections.
>
>Great suggestion Mike! Much quicker to do than a stochastic analysis
>of the pseudo-random nature of the attack (unless your the US goverment :-)
>and much cheaper to implement (unless your the US goverment :-)
>Certainly the UNIX proxy hack is easier than resorting to code-breaking,
>stochastic methods.
>Hats off to you,
I'm not sure it's even possible to analyze the pseudo-random shifting
attack (among other problems, there will be legitimate traffic in the
stream, so knowing what SYNs are bad is a pain) in anything approaching
realtime, so yes, one of the other methods is a much better choice 8-)
-george william herbert
gherbert@crl.com
