[4469] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 17 10:39:29 1996
To: "Forrest W. Christian" <forrestc@imach.com>
cc: nanog@merit.edu, iepg@iepg.org
In-reply-to: Your message of "Tue, 17 Sep 1996 03:28:23 MDT."
<Pine.LNX.3.91.960917030857.17180B-100000@IMgate.iMach.com>
Reply-To: perry@piermont.com
Date: Tue, 17 Sep 1996 10:30:26 -0400
From: "Perry E. Metzger" <perry@piermont.com>
"Forrest W. Christian" writes:
> Maybe I'm missing something here, but wouldn't these Denial of Service
> attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a
> given router interface?
[...]
> Then, if the ratio got too high, it can start yelping about "Potential SYN
> D-O-S Atttack in progress on Interface Serial 1"
>
> In this manner "good" isp's wouldn't unknowingly carry these attacks.
I think it is easier to just block the attacks completely by source
filtering your own network, at which point you can't carry such an
attack, knowingly or unknowingly.
> I envision this being done on the somewhat bigger isp's where
> putting inbound filters on their customer interfaces would be not a
> good idea (Sprint, MCI, Net 99, etc.).
What you propose is actually much harder to build than filters are.
> Personally, I know that these attacks aren't going to originate at our
> site, as I have the filters on. However, I am quite concerned about
> getting hit with one...
Please help, then, in convincing people that it is important to turn
on filtering on all leaf networks.
Perry
