nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Denial of Service Attack on Panix

From: Michael Dillon <michael () memra com>
Date: Mon, 16 Sep 1996 19:32:48 -0700 (PDT)
On Mon, 16 Sep 1996, Craig A. Huegen wrote:


The SYN flood coming towards my host X looks like this, at approximately
2,000 PPS:

182.58.239.2.1526     -> 172.30.15.5.80  TCP SYN
19.23.212.4.10294     -> 172.30.15.5.80  TCP SYN       
93.29.233.68.4355     -> 172.30.15.5.80  TCP SYN
[... on and on ...]

Tell me how to filter this.


The only thing that comes close to the concept of "filtering" is to build
a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
ACK is received from the net before actually letting the packets through
to your server. This may require sequence number munging on every packet
but that's generally the kind of thing proxies do. 

Of course, such a proxy does not yet exist except possibly as somebody's
home-built box based on some stripped down BSD-ish UNIX kernel with
various modifications. But assuming that you can build a box with enough
horsepower to handle 100baseTx/FDDI/whatever in and
100baseTx/FDDI/whatever out, then this is in the realm of possibility.

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael () memra com

- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: