SYN floods - possible solution? (fwd)

Mr. Jeremy Hall jhall at rex.isdn.net
Fri Sep 13 13:23:42 UTC 1996 

-->Well, the advantage to using something like FreeBSD is that it is freely
-->available, well-documented, and eleigible for creating commercial products
-->as long as you check copyrights carefully. Most parts of FreeBSD have no
-->commercial use restrictions like GNU does.
-->
-->And FreeBSD already has the basic functionality in it including support
-->for readily available hardware including 10baseT and 100baseTx and FDDI
-->interfaces. Building this kind of box would be mostly an excercise in
-->subtraction and it may well be possible to strip enough stuff out that it
-->can all be booted off a 1.44 megabyte diskette into a diskless 486 or
-->Pentium box with a RAMdisk.
-->
-->At that point all an ISP needs to do is download a file, a disk writing
-->utility (RAWRITE.EXE) and assemble a box with certain standard components
-->like their choice of 3 types of network card as mentioned above. If the
-->box included ssh for the admin interface maybe it could create a precedent
-->for router manufacturers?
-->
-->NOTE: I copied this one to freebsd-hackers
-->
-->Michael Dillon                   -               ISP & Internet Consulting
-->Memra Software Inc.              -                  Fax: +1-604-546-3049
-->http://www.memra.com             -               E-mail: michael at memra.com
-->

well it's sad to say, but if you want to get the attention of anybody 
around here in this clueful organisation, you have to put it on NT and 
make sure microsoft supports it. I hate NT, I'd NEVER run it on my box, 
but there are enough people around here that that's all they care about. 
I approached our people concerning this yesterday and was stunned to see 
blank stares and the question, "you mean you can . . . Why would you want 
to do that? . . . They'd never strike here." so I attempted to create a 
filter for our max. All that was successful in doing was destroying our 
rip updates. The filtering code on a max isn't the best since they don't 
concider arp an ip protocol, you have to deny all other IP then allow the 
rest.  I'll probably look at it some more today.


Jeremy
-- 
              -------------------------------------------
              | Jeremy Hall      Network Engineer |
              | ISDN-Net, Inc    Office +1-615-371-1625 |
              | Nashville, TN    and the southeast USA  |
              | jhall at isdn.net   Pager  +1-615-702-0750 |
              -------------------------------------------

More information about the NANOG mailing list