New Denial of Service Attack on Panix
Christopher Blizzard
blizzard at odin.nyser.net
Tue Sep 17 14:23:54 UTC 1996
In message <Pine.BSI.3.93.960916191246.3265P-100000 at sidhe.memra.com>, Michael D
illon writes:
:
:The only thing that comes close to the concept of "filtering" is to build
:a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
:ACK is received from the net before actually letting the packets through
:to your server. This may require sequence number munging on every packet
:but that's generally the kind of thing proxies do.
:
:Of course, such a proxy does not yet exist except possibly as somebody's
:home-built box based on some stripped down BSD-ish UNIX kernel with
:various modifications. But assuming that you can build a box with enough
:horsepower to handle 100baseTx/FDDI/whatever in and
:100baseTx/FDDI/whatever out, then this is in the realm of possibility.
:
A beefed up application level firewall would probably work well in this
situation.
--Chris
:Michael Dillon - ISP & Internet Consulting
:Memra Software Inc. - Fax: +1-604-546-3049
:http://www.memra.com - E-mail: michael at memra.com
-------------------------------------------------------------------
Christopher Blizzard | "The truth knocks on the door and you say
blizzard at nysernet.org | 'Go away. I'm looking for the truth,' and
NYSERNet, Inc. | so it goes away." --Robert Pirsig
-------------------------------------------------------------------
More information about the NANOG
mailing list