SYN floods

• Previous message (by thread): SYN floods
• Next message (by thread): SYN floods
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is also important to remember that the SYN attack is only one in a class
of one-way denial-of-service attacks. While hardening the servers on the
net against this kind of attack is important (and is the province of the
server/OS vendors, not the router or firewall vendors), the most effective
way to end a denial of service attack is to trace it to its source, and
terminate it there.

To be able to trace without doing a lot of link-by-link guesswork, the
edges of the network need to be filtered, such that no customer of any ISP
or NSP can inject packets into the Internet that are not part of the
customer's assigned address space. This will give us a first approximation
of an ability to figure out where this stuff comes from.

While it's harder to trace if we get less than 100% compliance, if we get
60%, we know were to start looking for the perps - the remaining 40%.

The other nice effect of this requirement is that, in the implementations
that I am aware of, it's cheaper to filter one big CIDR block than a
bazillion disjoint address spaces, thus adding one more thump to the
drumbeat for CIDR.

It is time for a Best Common Practice document.

	Erik Fair

• Previous message (by thread): SYN floods
• Next message (by thread): SYN floods
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]