Re[4]: SYN floods (was: does history repeat itself?)

[pcalhoun () usr com (Pat Calhoun)]

     Curtis,
     
        As I stated in my previous e-mail, we could do this by adding this 
     to our release notes in our product, describing the problem and 
     advising against not taking measures. However, this would only apply 
     to our customers, which I would venture to say that most already do 
     understand the problem :).
     
        However, if there is anything that I can do to help, please let me 
     know since I take the threat of the "imminent death of the internet" 
     very seriously.
     
     
     Pat R. Calhoun                                e-mail: pcalhoun () usr com 
     Project Engineer - Lan Access R&D                phone: (847) 933-5181 
     US Robotics Access Corp.
     
______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: SYN floods (was: does history repeat itself?) 
Author:  Curtis Villamizar <curtis () ans net> at Internet 
Date:    9/12/96 1:44 PM
     
     
     
In message <233128C0.3000 () usr com>, Pat Calhoun writes: 
> This is a Mime message, which your current mail reader
> may not understand. Parts of the message will appear as
> text. To process the remainder, you will need to use a Mime 
> compatible mail reader. Contact your vendor for details.
>
> --IMA.Boundary.388702248
> Content-Type: text/plain; charset=US-ASCII 
> Content-Transfer-Encoding: 7bit
> Content-Description: cc:Mail note part 
>
>      Perry,
>      
>         This is actually quite simple to implement on Dial Access Routers, 
>      and obviously this is the best place to add the filtering. 
>      
>      
>      Pat R. Calhoun                                e-mail: pcalhoun () usr com 
>      Project Engineer - Lan Access R&D                phone: (847) 933-5181 
>      US Robotics Access Corp.
     
     
I agree with you completely -- sort of.  Only problem is there are 
thought to be some 3,000 dial access providers.  Many of them barely 
know what a TCP SYN is, let alone why they need to block ones with 
random source addresses and how.  Unless of course you are 
volunteering to explain it and help them.  Thanks in advance.  :-)
     
Curtis
     
     
> ______________________________ Reply Separator ______________________________ 
> ___
> Subject: Re: SYN floods (was: does history repeat itself?) 
> Author:  "Perry E. Metzger" <perry () piermont com> at Internet 
> Date:    9/9/96 1:19 PM
>
>
>      
> Re: SYN floods
>      
> PANIX, a large public access provider in New York, was badly hit with 
> SYN flood attacks from random source addresses over the last few 
> days. It nearly wrecked them.
>      
> I think its time for the larger providers to start filtering packets 
> coming from customers so that they only accept packets with the 
> customer's network number on it. 
>      
> Yes, its a load on routers. Yes, its nasty for the mobile IP weenies. 
> Unfortunately, the only known way to stop this. Many TCPs go belly up 
> as soon as they get SYN flooded -- its a defect in the protocol 
> design, and other than Karn style anti-clogging tokens ("cookies") 
> being put into a TCP++ and mass implemented worldwide soon, the only 
> reasonable way to stop this sort of terrorism is provider filtering. 
>      
> Perry
> --IMA.Boundary.388702248
> Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers" 
> Content-Transfer-Encoding: 7bit
> Content-Description: cc:Mail note part
> Content-Disposition: attachment; filename="RFC822 message headers" 
>
> Received: from usr.com (mailgate.usr.com) by robogate2.usr.com with SMTP
>   (IMA Internet Exchange 2.02 Enterprise) id 233028F0; Sun, 8 Sep 96 12:29:51 
> -0500
> Received: from merit.edu by usr.com (8.7.5/3.1.090690-US Robotics) 
>       id MAA17658; Mon, 9 Sep 1996 12:33:14 -0500 (CDT)
> Received: from localhost (daemon@localhost) by merit.edu (8.7.5/merit-2.0) wi 
> th
> SMTP id NAA17064; Mon, 9 Sep 1996 13:20:33 -0400 (EDT)
> Received: by merit.edu (bulk_mailer v1.5); Mon, 9 Sep 1996 13:19:08 -0400
> Received: (from daemon@localhost) by merit.edu (8.7.5/merit-2.0) id NAA16987 
> for
> nanog-outgoing; Mon, 9 Sep 1996 13:19:08 -0400 (EDT)
> Received: from jekyll.piermont.com (jekyll.piermont.com [206.1.51.15]) by
> merit.edu (8.7.5/merit-2.0) with ESMTP id NAA16982 for <nanog () merit edu>; Mon 
> , 9
> Sep 1996 13:19:05 -0400 (EDT)
> Received: from localhost (perry@localhost) by jekyll.piermont.com (8.7.5/8.6. 
> 12)
> with SMTP id NAA24855 for <nanog () merit edu>; Mon, 9 Sep 1996 13:19:02 -0400 
> (EDT)
> Message-Id: <199609091719.NAA24855 () jekyll piermont com>
> X-Authentication-Warning: jekyll.piermont.com: Host perry@localhost didn't us 
> e
> HELO protocol
> To: nanog () merit edu
> Subject: Re: SYN floods (was: does history repeat itself?) 
> In-reply-to: Your message of "Mon, 09 Sep 1996 12:47:13 EDT." 
>              <199609091647.MAA01458 () tomservo mindspring com> 
> Reply-To: perry () piermont com
> X-Reposting-Policy: redistribute only with permission 
> Date: Mon, 09 Sep 1996 13:19:02 -0400
> From: "Perry E. Metzger" <perry () piermont com> 
> Sender: owner-nanog () merit edu
> --IMA.Boundary.388702248--

Attachment: RFC822 message headers
Description: cc:Mail note part