New Denial of Service Attack on Panix

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 16 Sep 1996, Tim Bass wrote:

==>Show me the topology, the router configurations of the gateways,
==>and the format of the denial-of-service attack packets and I'll
==>be surprised if I can't devise a scheme to stop it, even if
==>the attacker changes source addresses frequently (and I'm
==>happy to do it).

Okay, here you go...  come up with a plan.

I have a machine, X.  It is directly off FastEthernet 1/1 of my 7513, Y.
My net connection is a T1, off Serial0/0 of Y, to my provider's router, Z.

X is 172.30.15.5/28, Y's Fast1/1 is 172.30.15.1/28, Y's Serial0/0 is
192.168.1.2/30, and Z's serial interface to me is 192.168.1.1/30.

Configuration is standard, only access list on my router is an outbound
access-list filtering my source addresses to make sure only
packets with sources of 172.30.0.0/16 get out.  It's applied in this
fashion:

access-list 115 permit ip 172.30.0.0 0.0.255.255 any
access-list 115 deny ip any any log
interface Serial0/0
ip access-group 115 out

The SYN flood coming towards my host X looks like this, at approximately
2,000 PPS:

182.58.239.2.1526     -> 172.30.15.5.80  TCP SYN
19.23.212.4.10294     -> 172.30.15.5.80  TCP SYN       
93.29.233.68.4355     -> 172.30.15.5.80  TCP SYN
[... on and on ...]

Tell me how to filter this.

/cah

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]