[4436] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Michael Dillon)
Mon Sep 16 22:42:57 1996
Date: Mon, 16 Sep 1996 19:32:48 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: nanog@merit.edu
cc: iepg@iepg.org
In-Reply-To: <Pine.QUAD.3.94.960916182425.296A-100000@quad.quadrunner.com>
On Mon, 16 Sep 1996, Craig A. Huegen wrote:
> The SYN flood coming towards my host X looks like this, at approximately
> 2,000 PPS:
>
> 182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN
> 19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN
> 93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN
> [... on and on ...]
>
> Tell me how to filter this.
The only thing that comes close to the concept of "filtering" is to build
a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
ACK is received from the net before actually letting the packets through
to your server. This may require sequence number munging on every packet
but that's generally the kind of thing proxies do.
Of course, such a proxy does not yet exist except possibly as somebody's
home-built box based on some stripped down BSD-ish UNIX kernel with
various modifications. But assuming that you can build a box with enough
horsepower to handle 100baseTx/FDDI/whatever in and
100baseTx/FDDI/whatever out, then this is in the realm of possibility.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
