SYN: from the firewalls list
Michael Dillon
michael at memra.com
Thu Sep 12 04:44:58 UTC 1996
---------- Forwarded message ----------
Date: Thu, 12 Sep 1996 03:31:11 +0200 (MET DST)
From: Bernd Eckenfels <lists at lina.inka.de>
To: Robert Hanson <roberth at cet.com>
Cc: firewalls at GreatCircle.COM
Subject: Re: SYN floods continue (fwd)
Hi,
> how do we fix zillions of machines from a "red flag" situation. or at
> least the ones we care about... is this not "logical"...
There are 2 fixes. The first is very simple: Every ISP has ppl to do the
work. Within a few hours every SYN attack should be backtraceable,
especially if one can expect it and prepare to it. Every ISP only needs the
phone number of the person on the upstream isp which is providing the trace
service. Additionally Tools like Argus can be used at ISPs to log the
Traffic and bad conditions with source. Geenrally this is a political Fix
which can be supported by Filtering and all kind of time consuming and
expensive work.
The other fix is to deveop a new protocol which is beeter suited for
communication in an hostile environment. This is IPv6 or IPsec.
Currently the is no real fix to SYN attacks. There are a few good attempts
like reverse-resolving of addresses, wrap around listen-backlogs instead of
fill up queues. At least systems can be enhanced to WARN about SYN Attacks.
With some things like Wrap-Around queues one can at least enhance the amount
of bandwith needed for a syn attack. But you can nerver gurantee operation
forr servicers which are connected to the open internet.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels at Wittumstrasse13.76646Bruchsal.de --
( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/
o--o *plush* 2048/A2C51749 eckes at irc +4972573817 *plush*
(O____O) If privacy is outlawed only Outlaws have privacy
More information about the NANOG
mailing list