Date: Tue, 18 Jan 2000 22:30:30 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Wes Peters <wes@softweyr.com> Cc: patl@phoenix.volant.org, David Wolfskill <dhw@whistle.com>, matt@ARPA.MAIL.NET, freebsd-security@FreeBSD.ORG Subject: Re: TCP/IP Message-ID: <200001190630.WAA33466@apollo.backplane.com> References: <ML-3.4.948228615.4905.patl@asimov.phoenix.volant.org> <388557FB.443E66B0@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:> > Put another router in series with it. Use an RFC 1918 "private net"
:> > numbering scheme for that (pathological) network, which then becomes an
:> > effective "demarc" between uunet.ca's responsibility/ability and yours.
:> >
:> > This generalizes, within reason. (Yes, it adds latency, too....)
:>
:> Umm, I think Matt's point was that he would like to filter these
:> things out -before- they consume bandwidth between his uplink and
:> his router. (I know I would...)
:
:Get a better ISP. They should provide such services, and the good ones will.
:They may charge to set it up, but they aren't going to want SYN floods on
:their networks. If the flood is coming from within your ISP, talk to the ISP
:and get the plug pulled on the flood source.
:
:--
: "Where am I, and what am I doing in this handbasket?"
:
:Wes Peters Softweyr LLC
Blocking SYN floods with spoofed source IP addresses is virtually
impossible. Not only can one not tell the difference between a spoofed
packet and a real SYN, it is also virtually impossible to determine
whether the actual source of the packets is if the source is not coming
from another customer in the same ISP.
A BEST customer was once attacked with a SYN flood all night long. It
took us less then a minute to determine that the flood was coming in
over our MCI transit. MCI had all night to locate the source (the attack
lasted for several hours) and never could. They couldn't pick the attack
out from the many gigabits they were shoving around with the debugging
tools they had. There wasn't anything we could do about it.
The only way to deal with SYN floods is to force leaf nodes (e.g. ISPs,
colleges) to source-ip-filter their outgoing links to prevent people from
spoofing packets within their networks using source IP's that are outside
their networks, or to force large backbones to filter the leaf nodes
themselves to allow only properly sourced packets through. Good luck!
All the major backbones have known about the problem for years and
haven't done a damn thing about it.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001190630.WAA33466>