Re: SYN floods (was: does history repeat itself?)

[Avi Freedman <freedman () netaxs com>]

> BTW, Alexis Rosen at Panix could use some help tracking down the
> person(s) attacking his machines -- he's more or less being shut down
> by this. He's having some trouble finding the right person at Sprint
> (one of his two providers) to talk to. If the right person could get
> in touch with me, I'll hook the two of you up.
>
> Hopefully, with a little inter-provider cooperation, the guy will get
> caught and arrested soon.
>
> Perry

I'll post more a bit later (the attack is under way now).

MCI was very cooperative, but Sprint said they didn't have time or
energy (even though Panix is a Sprint customer) to help to find out
where on Sprint's network the packets are entering.  (Panix has a
t1 to MCI and a t1 to Sprintlink.  In fact, Panix was Sprintlink's
first ISP customer, (used to be on sl-dc-1-s0)).

For a while, the attacker was using a constant seq # (though random ports
and src addresses).  We hacked the kernel to filter out that seq # in
tcp input routines.

While how to fix kernels so they're not as vulnerable to huge syn storms 
is not a NANOG topic, finding the <expletives deleted regretfully> who
do this is.

More later,

Avi

- - - - - - - - - - - - - - - - -