[4931] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Dima Volodin)
Wed Oct 2 17:49:31 1996
To: bass@cactus.silkroad.com (Tim Bass)
Date: Wed, 2 Oct 1996 17:32:52 -0400 (EDT)
Cc: kwe@6SigmaNets.com, bass@cactus.silkroad.com, nanog@merit.edu,
iepg@iepg.org
In-Reply-To: <199610022111.RAA01111@cactus.silkroad.com> from "Tim Bass" at Oct 2, 96 05:11:47 pm
From: dvv@sprint.net (Dima Volodin)
Tim Bass writes:
>
> [...]
>
> Because, it seems to me, since the way to exploit TCP
> is to use bogus, unreachable IP sources, why not use
> this fact to let the kernal just filter itself under
> certain flooding conditions?
>
> Please let me know why this will not work.
>
> Thanks,
It will, except that a slight modification of the attack (using IP
addresses that _don't_ produce ICMP_UNREACH) will get us back to square
one.
Anyway, filtering packets with SRC addresses known to generate
ICMP_UNREACH at the earliest possible stage might be a good idea.
> Tim
Dima
