[4468] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Christopher Blizzard)
Tue Sep 17 10:27:54 1996
To: Michael Dillon <michael@memra.com>
cc: nanog@merit.edu, iepg@iepg.org
In-reply-to: Your message of "Mon, 16 Sep 1996 19:32:48 PDT."
<Pine.BSI.3.93.960916191246.3265P-100000@sidhe.memra.com>
Date: Tue, 17 Sep 1996 10:23:54 -0400
From: Christopher Blizzard <blizzard@odin.nyser.net>
In message <Pine.BSI.3.93.960916191246.3265P-100000@sidhe.memra.com>, Michael D
illon writes:
:
:The only thing that comes close to the concept of "filtering" is to build
:a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
:ACK is received from the net before actually letting the packets through
:to your server. This may require sequence number munging on every packet
:but that's generally the kind of thing proxies do.
:
:Of course, such a proxy does not yet exist except possibly as somebody's
:home-built box based on some stripped down BSD-ish UNIX kernel with
:various modifications. But assuming that you can build a box with enough
:horsepower to handle 100baseTx/FDDI/whatever in and
:100baseTx/FDDI/whatever out, then this is in the realm of possibility.
:
A beefed up application level firewall would probably work well in this
situation.
--Chris
:Michael Dillon - ISP & Internet Consulting
:Memra Software Inc. - Fax: +1-604-546-3049
:http://www.memra.com - E-mail: michael@memra.com
-------------------------------------------------------------------
Christopher Blizzard | "The truth knocks on the door and you say
blizzard@nysernet.org | 'Go away. I'm looking for the truth,' and
NYSERNet, Inc. | so it goes away." --Robert Pirsig
-------------------------------------------------------------------
