New Denial of Service Attack on Panix

Christopher Blizzard blizzard at odin.nyser.net
Tue Sep 17 14:23:54 UTC 1996


In message <Pine.BSI.3.93.960916191246.3265P-100000 at sidhe.memra.com>, Michael D
illon writes:
:
:The only thing that comes close to the concept of "filtering" is to build
:a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
:ACK is received from the net before actually letting the packets through
:to your server. This may require sequence number munging on every packet
:but that's generally the kind of thing proxies do. 
:
:Of course, such a proxy does not yet exist except possibly as somebody's
:home-built box based on some stripped down BSD-ish UNIX kernel with
:various modifications. But assuming that you can build a box with enough
:horsepower to handle 100baseTx/FDDI/whatever in and
:100baseTx/FDDI/whatever out, then this is in the realm of possibility.
:

A beefed up application level firewall would probably work well in this 
situation.

--Chris

:Michael Dillon                   -               ISP & Internet Consulting
:Memra Software Inc.              -                  Fax: +1-604-546-3049
:http://www.memra.com             -               E-mail: michael at memra.com
-------------------------------------------------------------------
Christopher Blizzard   | "The truth knocks on the door and you say
blizzard at nysernet.org  | 'Go away.  I'm looking for the truth,' and
NYSERNet, Inc.         | so it goes away."  --Robert Pirsig
-------------------------------------------------------------------





More information about the NANOG mailing list