SYN floods (was: does history repeat itself?)

Pat Calhoun pcalhoun at usr.com
Tue Sep 10 18:21:45 UTC 1996


     Alexis,
     
        However if you are filtering on your outbound router to the net, 
     there is still the possbility that a malicious user could spoof 
     addresses as long as they belong to your address space. By moving the 
     filter out to the edge (when you have the equipment) this eliminates 
     that problem as well.
     
     Pat R. Calhoun                                e-mail: pcalhoun at usr.com 
     Project Engineer - Lan Access R&D                phone: (847) 933-5181 
     US Robotics Access Corp.
     
______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: SYN floods (was: does history repeat itself?)
Author:  Alexis Rosen <alexis at panix.com> at Internet 
Date:    9/10/96 2:07 PM
     
     
Alec H. Peterson writes:
> 
> Pat Calhoun writes:
> >        This is actually quite simple to implement on Dial Access Routers, 
> >     and obviously this is the best place to add the filtering. 
> 
> Sure, that's a place to start.  Except for a few problems: 
> 
> 1) The people doing this are not necessarily using a dialup IP 
>    connection.
     
True. That's why you need to filter upstream of public-access unix boxes 
(like our own).
     
> 2) Many of us don't have dial access routers that can handle this.
     
Also true. As I said before, I don't know about the Ascends, but I do know 
that the Xylogics boxes we use have the capability but probably not the 
capacity. When all ports are connected at 28.8, CPU usage can hover in
the high 80% range. Adding filters would probably be a bad idea.
     
That's why I was talking about filtering at a router just upstream from 
the dial-access box.
     
FWIW, even with a thousand very busy modems, I'm pretty sure that even a 
small cisco is up to the job. They just don't generate all that much traffic.
     
/a





More information about the NANOG mailing list