SYN floods (was: does history repeat itself?)

Pat Calhoun pcalhoun at usr.com
Mon Sep 9 18:19:18 UTC 1996


     Perry,
     
        This is actually quite simple to implement on Dial Access Routers, 
     and obviously this is the best place to add the filtering. 
     
     
     Pat R. Calhoun                                e-mail: pcalhoun at usr.com 
     Project Engineer - Lan Access R&D                phone: (847) 933-5181 
     US Robotics Access Corp.


______________________________ Reply Separator _________________________________
Subject: Re: SYN floods (was: does history repeat itself?) 
Author:  "Perry E. Metzger" <perry at piermont.com> at Internet
Date:    9/9/96 1:19 PM


     
Re: SYN floods
     
PANIX, a large public access provider in New York, was badly hit with 
SYN flood attacks from random source addresses over the last few 
days. It nearly wrecked them.
     
I think its time for the larger providers to start filtering packets 
coming from customers so that they only accept packets with the 
customer's network number on it. 
     
Yes, its a load on routers. Yes, its nasty for the mobile IP weenies. 
Unfortunately, the only known way to stop this. Many TCPs go belly up 
as soon as they get SYN flooded -- its a defect in the protocol 
design, and other than Karn style anti-clogging tokens ("cookies") 
being put into a TCP++ and mass implemented worldwide soon, the only 
reasonable way to stop this sort of terrorism is provider filtering.
     
Perry
-------------- next part --------------
Received: from usr.com (mailgate.usr.com) by robogate2.usr.com with SMTP
  (IMA Internet Exchange 2.02 Enterprise) id 233028F0; Sun, 8 Sep 96 12:29:51
-0500
Received: from merit.edu by usr.com (8.7.5/3.1.090690-US Robotics)
	id MAA17658; Mon, 9 Sep 1996 12:33:14 -0500 (CDT)
Received: from localhost (daemon at localhost) by merit.edu (8.7.5/merit-2.0) with
SMTP id NAA17064; Mon, 9 Sep 1996 13:20:33 -0400 (EDT)
Received: by merit.edu (bulk_mailer v1.5); Mon, 9 Sep 1996 13:19:08 -0400
Received: (from daemon at localhost) by merit.edu (8.7.5/merit-2.0) id NAA16987 for
nanog-outgoing; Mon, 9 Sep 1996 13:19:08 -0400 (EDT)
Received: from jekyll.piermont.com (jekyll.piermont.com [206.1.51.15]) by
merit.edu (8.7.5/merit-2.0) with ESMTP id NAA16982 for <nanog at merit.edu>; Mon, 9
Sep 1996 13:19:05 -0400 (EDT)
Received: from localhost (perry at localhost) by jekyll.piermont.com (8.7.5/8.6.12)
with SMTP id NAA24855 for <nanog at merit.edu>; Mon, 9 Sep 1996 13:19:02 -0400
(EDT)
Message-Id: <199609091719.NAA24855 at jekyll.piermont.com>
X-Authentication-Warning: jekyll.piermont.com: Host perry at localhost didn't use
HELO protocol
To: nanog at merit.edu
Subject: Re: SYN floods (was: does history repeat itself?) 
In-reply-to: Your message of "Mon, 09 Sep 1996 12:47:13 EDT."
             <199609091647.MAA01458 at tomservo.mindspring.com> 
Reply-To: perry at piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Mon, 09 Sep 1996 13:19:02 -0400
From: "Perry E. Metzger" <perry at piermont.com>
Sender: owner-nanog at merit.edu


More information about the NANOG mailing list