nanog mailing list archives

Re: SYN floods continue

From: "Joseph T. Klein" <jtk () nap net>
Date: Wed, 11 Sep 1996 11:04:18 -0500 (CDT)



I don't know, but since nobody else seems to either, how about a 
router box that detects excessive SYN activity and then automatically 
blocks that ip address for awhile?  I suppose it just means that
the attacker has to vary the source address rapidly.

Anyway. Point is this: We can't take too much more of this, nor can our
customers. I have yet to hear *anyone* come up with any ideas even remotely
reasonable for how to deal with this situation, long term, except for the

If they modulate the phasers we just need to modulate the sheilds. :-O

If someone comes up with a good solution we will be glad to impliment it.
-- 
/*Joseph T. Klein         *    Keep Cool, but Don't Freeze
* NAP.NET, LLC            *
* phone  +1 414 747-8747  *                    - Hellman's Mayonnaise
* http://www.nap.net     */
- - - - - - - - - - - - - - - - -

Current thread:

SYN floods continue Alexis Rosen (Sep 11)
- Re: SYN floods continue Robert Bowman (Sep 11)
- Re: SYN floods continue Jon Zeeff (Sep 11)
  - Re: SYN floods continue Joseph T. Klein (Sep 11)
    - Re: SYN floods continue Avi Freedman (Sep 11)
    - Re: SYN floods continue alex (Sep 11)
  - Re: SYN floods continue Larry J. Plato (Sep 11)
- Re: SYN floods continue Michael Dillon (Sep 11)
  - Re: SYN floods continueg Avi Freedman (Sep 11)
- Re: SYN floods continue Steven L. Johnson (Sep 11)
  - Re: SYN floods continueh Avi Freedman (Sep 12)
- <Possible follow-ups>
- Re: SYN floods continue Sean Donelan (Sep 11)
- Re[2]: SYN floods continue Pat Calhoun (Sep 11)
- Re: SYN floods continue Vadim Antonov (Sep 11)

(Thread continues...)