SYN floods (was: does history repeat itself?)
Avi Freedman
freedman at netaxs.com
Mon Sep 9 18:35:27 UTC 1996
> BTW, Alexis Rosen at Panix could use some help tracking down the
> person(s) attacking his machines -- he's more or less being shut down
> by this. He's having some trouble finding the right person at Sprint
> (one of his two providers) to talk to. If the right person could get
> in touch with me, I'll hook the two of you up.
>
> Hopefully, with a little inter-provider cooperation, the guy will get
> caught and arrested soon.
>
> Perry
I'll post more a bit later (the attack is under way now).
MCI was very cooperative, but Sprint said they didn't have time or
energy (even though Panix is a Sprint customer) to help to find out
where on Sprint's network the packets are entering. (Panix has a
t1 to MCI and a t1 to Sprintlink. In fact, Panix was Sprintlink's
first ISP customer, (used to be on sl-dc-1-s0)).
For a while, the attacker was using a constant seq # (though random ports
and src addresses). We hacked the kernel to filter out that seq # in
tcp input routines.
While how to fix kernels so they're not as vulnerable to huge syn storms
is not a NANOG topic, finding the <expletives deleted regretfully> who
do this is.
More later,
Avi
More information about the NANOG
mailing list