nanog mailing list archives

Re[4]: SYN floods (was: does history repeat itself?)

From: pcalhoun () usr com (Pat Calhoun)
Date: Fri, 13 Sep 1996 15:54:47 -0500

     John,
     
        This sort of feature could be easily added into a NAS, but I 
     question your implementation details. If this filter was turned on by 
     default, then this could "break" other types of services which may 
     require source ip addresses other than the one which was negotiated to 
     the user.
     
        This would mean that a customer could perform a flash upgrade and 
     find that their service no longer operates (a technical support 
     nightmare). Would you be willing to consider such a feature where it 
     would have to be enabled (and is disabled by default) and a very well 
     explained document with the release notes to service providers 
     advising them of the risk of not enabling this switch??
     
     Pat R. Calhoun                                e-mail: pcalhoun () usr com 
     Project Engineer - Lan Access R&D                phone: (847) 933-5181 
     US Robotics Access Corp.

______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: SYN floods (was: does history repeat itself?)
Author:  "John G. Scudder" <jgs () ieng com> at Internet
Date:    9/12/96 2:33 PM


At 1:44 PM -0400 9/12/96, Curtis Villamizar wrote:

I agree with you completely -- sort of.  Only problem is there are 
thought to be some 3,000 dial access providers.  Many of them barely 
know what a TCP SYN is, let alone why they need to block ones with 
random source addresses and how.  Unless of course you are

                                   ^^^^^^^^^^^^^^^^^^^^^^^^

volunteering to explain it and help them.  Thanks in advance.  :-)

 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     
Curtis, this is a great point.  USR and other NAS vendors are actually in a 
great position to do exactly this, by changing their boxes to block random 
addresses *by default* on dial-up ports.  This is of course exactly the 
point Vadim and others keep making, and of course as they point out there 
ought to be a knob to disable it if desired.
     
Insofar as guys who "barely know what a TCP SYN is" are unlikely to twist 
the knobs, defaulting filtering to "block spoofed addresses" seems like the 
best and maybe only way to get them to do it.
     
How about it, USR &al?
     
--John
     
--
John Scudder                        email:  jgs () ieng com 
Internet Engineering Group, LLC     phone:  (313) 669-8800 
122 S. Main, Suite 280              fax:    (313) 669-8661
Ann Arbor, MI  41804                www:    http://www.ieng.com

Attachment: RFC822 message headers
Description: cc:Mail note part

Current thread:

Re: SYN floods (was: does history repeat itself?), (continued)
- - Re: SYN floods (was: does history repeat itself?) Alex.Bligh (Sep 13)
    - Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 13)
- Re: SYN floods (was: does history repeat itself?) Vadim Antonov (Sep 14)
  - Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 15)
    - Re: SYN floods (was: does history repeat itself?) alex (Sep 16)
    - Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 16)
- Re: Re[4]: SYN floods (was: does history repeat itself?) James D. Butt 'J.D.' (Sep 15)
- Re: SYN floods (was: does history repeat itself?) Vadim Antonov (Sep 15)
- Re[4]: SYN floods (was: does history repeat itself?) Pat Calhoun (Sep 16)
- Re[4]: SYN floods (was: does history repeat itself?) Pat Calhoun (Sep 16)
- Re[4]: SYN floods (was: does history repeat itself?) Pat Calhoun (Sep 16)