A major New York ISP has been severely attacked by SYN floods with random
spoofed source addresses since las Friday or so. When these attacks occur,
they are basically shut down. And tracking them back to source requires
each provider to track it back one router at a time.
Anybody have any good ideas on how this can be tracked back faster
or how you can prevent a SYN flood from shutting you down?
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael @
---------- Forwarded message ----------
Date: Wed, 11 Sep 1996 05:58:02 -0400 (EDT)
From: Alexis Rosen <alexis @
To: nanog @
Subject: SYN floods continue
We got hit again tonight. This time on seven different machines- three
mail hosts, two news machines, our web site, and VTW's web site (we
provide all service for VTW).
I am simply amazed that anyone would attack VTW. Even the shmuck who's
attacking us benefits from VTW's work. Why would anyone attack them?
Anyway. Point is this: We can't take too much more of this, nor can our
customers. I have yet to hear *anyone* come up with any ideas even remotely
reasonable for how to deal with this situation, long term, except for the
filtering that Avi, Perry, and I have been promoting these last few days.
Whether or not existing equipment can handle the job is *IRRELEVANT*. If
it won't, new equipment must be bought. The net won't survive without it.
(And yes, I've been hearing "death of the net" predictions for longer than
most readers of this list have been on the net. This could really be it.)