SYN floods
Michael Dillon
michael at memra.com
Tue Sep 17 17:47:05 UTC 1996
On Tue, 17 Sep 1996, David Miller wrote:
> > > > Could we drop the SYN/Denial thread? It's becoming rather base.
> > >
> > > The discussion could always be moved to the firewalls list.
Some part of the discussion involves the technical details of hardening OS
kernels as well as a couple of alternate solutions for defending against
the attacks involving either a SYN proxy or a machine feeding RST's. These
technical details belong on the firewalls list because the people on that
list work with building DEFENSIVE mechanisms.
> > I would suggest that it not be. This is actually a crisis that has to
> > be solved by action taken by service providers working together, and
> > does not involve conventional firewalls per se. I would say that it
> > is therefore germane to Nanog.
Quite correct. We need better ways to trace the source of these attacks.
We need more cooperation between providers. We need educational material
that explains who should do what.
> If we're voting, I'd say inet-access. SYN attacks and defense are more
> centered on the ISP's than the backbones.
inet-access and other ISP mailing lists are most relevant for the
PREVENTION of SYN flood attacks. This is where we need to hammer home the
need for filtering outgoing routes. So far we have come up with detailled
instructions for configuring a Cisco, a Livingston and a Bay router
to block SYN spoofing. I'd like to see instructions for a FreeBSD/Linux
box running ipfwadm as well. Any others?
I suppose it is relevant to tell ISP's to install hardened OS kernels but
if they don't then it only hurts them, not the rest of the net.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael at memra.com
More information about the NANOG
mailing list