Firewalls: Re: SYN floods

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: SYN floods
From:	Blast <blast @ worldbit . com>
Date:	Thu, 12 Sep 1996 20:54:32 -0700 (PDT)
To:	Paul Ferguson <pferguso @ cisco . com>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<2 . 2 . 32 . 19960913014516 . 006c7a34 @ lint . cisco . com>

On Thu, 12 Sep 1996, Paul Ferguson wrote:

> Of course, this does nothing to thwart someone from flooding a given
> host with TCP SYN's, as these are generally passed along in the traffic
> stream.
>
> This is a harder problem to solve than one would suspect.

First, thanks Paul for the wonderful information you have posted
on this topic.

This problem has kept me awake more than coffee. :-)
The only way to start to defend against this problem is at the two end points.
The problem is that the only end point we know about is the "victim".
So lets start there:
We are working on a daemon that will slide the kernel's timer from
a normal 75 seconds waiting for the 3rd step in the handshake to
5 seconds (these numbers are not firm yet).  As a host's kernel
exceeds a threshold of incomplete handshakes it will start to
adjust its timer (wait less) in closing these incomplete handshakes.
The idea is to make the victims host more resilient to this abnormal
socket state.  IT DOES NOT GET RID OF THE PROBLEM.  It just tries
to manage it while alerting the sys admin. :-)

The other end point (the one of the attacker) is tricky.
If it is a terminal server, then a few access-lists on the
ip pool will be effective.  It will be a miracle if ISP's start to
do this and lets not forget the edu, gov, and all other organizations
that can be the lily pad for the attacker.  At this point, I
think that it is infeasible for anything to be done given the
nature of the attack other than a defensive position at the victims
host.

This SYN bomb is nothing new.  I am happy in a sick way that this
took place.  1) It got me off my ass to do more coding with my buddies
             2) Maybe the move to IPv6 will quicken?

Thanks for you time,
--blast

   +--------------------------------------------------------------------+
   \    Tim Keanini    |         "The limits of my language,            /
   /    aka blast      |         are the limits of my world."           \
   \                   |         --Ludwig Wittgenstein                  /
   \                   +================================================/
   |Key fingerprint =  7B 68 88 41 A8 74 AB EC  F0 37 98 4C 37 F7 40 D6 |
   /    PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html     \
   \  <blast @
 worldbit .
 com>                                              /
   +--------------------------------------------------------------------+

Follow-Ups:

Re: SYN floods - possible solution?
From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>

References:

Re: SYN floods
From: Paul Ferguson <pferguso @ cisco . com>

Indexed By Date	Previous:	Digital Firewall for Unix From: "Rob Janzen" <rob @ vulcan . achq . dnd . ca>
Indexed By Date	Next:	Re: SYN floods - possible solution? From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>
Indexed By Thread	Previous:	Re: SYN floods From: Paul Ferguson <pferguso @ cisco . com>
Indexed By Thread	Next:	Re: SYN floods - possible solution? From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>