Re: New Denial of Service Attack on Panix

[George Herbert <gherbert () crl com>]

Tim writes:
> > There are at least three things you can do to protect yourself from such
> > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
> > of incomplete socket connections. One is to have another machine or your
> > network issue RST's for sockets that it thinks are part of the SYN flood
> > attack. And one is to install a SYN proxy machine between your net and the
> > Internet which catches all SYN packets and holds them until an ACK is
> > received at which point the SYN and the ACK are passed on to your network. 
> > Such a proxy can be built to handle HUGE numbers of incomplete conections.
>
> Great suggestion Mike!  Much quicker to do than a stochastic analysis
> of the pseudo-random nature of the attack (unless your the US goverment :-)
> and much cheaper to implement (unless your the US goverment :-)
> Certainly the UNIX proxy hack is easier than resorting to code-breaking,
> stochastic methods.
> Hats off to you,

I'm not sure it's even possible to analyze the pseudo-random shifting
attack (among other problems, there will be legitimate traffic in the
stream, so knowing what SYNs are bad is a pain) in anything approaching
realtime, so yes, one of the other methods is a much better choice 8-)

-george william herbert
gherbert () crl com

- - - - - - - - - - - - - - - - -