From owner-freebsd-security  Sun Sep  8 03:12:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id DAA00634
          for security-outgoing; Sun, 8 Sep 1996 03:12:12 -0700 (PDT)
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA00626
          for <freebsd-security@FreeBSD.org>; Sun, 8 Sep 1996 03:12:10 -0700 (PDT)
Received: from mail.crl.com (mail.crl.com [165.113.1.22])
          by who.cdrom.com (8.7.5/8.6.11) with SMTP id DAA00215
          for <freebsd-security@FreeBSD.org>; Sun, 8 Sep 1996 03:12:09 -0700 (PDT)
Received: from cheops.anu.edu.au by mail.crl.com with SMTP id AA07044
  (5.65c/IDA-1.5 for <freebsd-security@FreeBSD.org>); Sun, 8 Sep 1996 01:02:09 -0700
Message-Id: <199609080802.AA07044@mail.crl.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA211659454; Sun, 8 Sep 1996 17:57:34 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: Panix Attack: synflooding and source routing?
To: bugs@freebsd.netcom.com (Mark Hittinger)
Date: Sun, 8 Sep 1996 17:57:33 +1000 (EST)
Cc: freebsd-security@FreeBSD.org
In-Reply-To: <199609072204.RAA16524@freebsd.netcom.com> from "Mark Hittinger" at Sep 7, 96 05:04:24 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from Mark Hittinger, sie said:
> 
> 
> Netcom's IRC servers were attacked by a similar mechanism a couple of 
> weeks ago - random source addresses on packets that touched telnet, smtp,
> auth, irc, and then back to telnet.
> 
> A most effective attack.  We tracked it as far as we could and have more
> ideas about how to follow it back now.
> 
> I'm jamming with a router buddy trying to get some code into the next cisco
> release - we can detect the condition at the router and log which interface
> we are getting the packets from.  If the router can query its adjacent
> routers' "spray log" we'd be able to very quickly find the machine that
> the kiddies are running from (naturally it will belong to somebody else :-) ).
> 
> There may be a kernel fix for this but I'm leaning towards a router based
> fix at this time.

I think it needs to be taken up at NANOG to have filters in place at all the
small entry points for PPP dialups and other customers (who only have one or
two networks/subnets which require Internet routing) to only permit packets
onto the Internet with correct source addresses.  THis doesn't prevent the
attack, but it does helpp in a major way for tracking the perpetrators.

darren