Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: SYN floods continue (fwd)
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date: 11 Sep 96 13:24:33 EDT
To: firewalls <firewalls @ sybase . com> 
Geez, that's nasty.  If the attacker is doing a good enough
job of using truly random, legal source addresses, they will 
have to track through every router, as you said.  Hopefully
there aren't too many hops between them and the attacker.

If the attacker isn't being so carefull about randomness, you
might be able to take advantage of some patterns (i.e.
ask the most likely ISPs to look for traffic from a,b and c
to d)

I wish them luck.  If you hear the final resolution, I'd love to 
know.

    Ryan

---------- Previous Message ----------
To: firewalls
cc: 
From: michael @ memra.com (Michael Dillon) @ smtp
Date: 09/11/96 09:43:07 AM
Subject: SYN floods continue (fwd)


A major New York ISP has been severely attacked by SYN floods with random
spoofed source addresses since las Friday or so. When these attacks occur,
they are basically shut down. And tracking them back to source requires
each provider to track it back one router at a time.

Anybody have any good ideas on how this can be tracked back faster
or how you can prevent a SYN flood from shutting you down?

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael @
 memra .
 com

---------- Forwarded message ----------
Date: Wed, 11 Sep 1996 05:58:02 -0400 (EDT)
From: Alexis Rosen <alexis @
 panix .
 com>
To: nanog @
 merit .
 edu
Subject: SYN floods continue

We got hit again tonight. This time on seven different machines- three
mail hosts, two news machines, our web site, and VTW's web site (we
provide all service for VTW).

I am simply amazed that anyone would attack VTW. Even the shmuck who's
attacking us benefits from VTW's work. Why would anyone attack them?

Anyway. Point is this: We can't take too much more of this, nor can our
customers. I have yet to hear *anyone* come up with any ideas even remotely
reasonable for how to deal with this situation, long term, except for the
filtering that Avi, Perry, and I have been promoting these last few days.

Whether or not existing equipment can handle the job is *IRRELEVANT*. If
it won't, new equipment must be bought. The net won't survive without it.

(And yes, I've been hearing "death of the net" predictions for longer than
most readers of this list have been on the net. This could really be it.)

/a
Follow-Ups:
Indexed By Date Previous: telnet proxy
From: hsingh @ nymt . reuter . com (Hardayal Singh)
Next: ...no subject...
From: <tgeddie @ nnsy_ns00 . nnsy . navy . mil> (Tony Geddie)
Indexed By Thread Previous: Re: SYN floods continue (fwd)
From: "Paul D. Robertson" <proberts @ clark . net>
Next: Re: SYN floods continue (fwd)
From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Google
 
Search Internet Search www.greatcircle.com