Date: Sat, 7 Sep 1996 20:20:21 +0300 (EET DST) From: Petri Helenius <pete@sms.fi> To: Brian Tao <taob@io.org> Cc: FREEBSD-SECURITY-L <freebsd-security@FreeBSD.org>, BUGTRAQ@NETSPACE.ORG Subject: Panix Attack: synflooding and source routing? Message-ID: <199609071720.UAA20430@silver.sms.fi> In-Reply-To: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org> References: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lukekaapas uusin villitys, alkaa menn{ aika rumaksi, imho...
Pete
> ---------- Forwarded message ----------
> >Return-Path: <Peter_Kelk@kelk.com>
> >To: mcarr <mcarr@ican.net>
> >From: Peter Kelk/Kelk <Peter_Kelk@kelk.com>
> >Date: 7 Sep 96 9:19:38
> >Subject: Important Warning
> >X-Lotus-Type: Corresp
> >
> >Mike, I received this from my brother in law in New York City. Thought it
> >might be useful for Ican.
> >
> >
> > W E L C O M E T O P A N I X
> >
> >
> >Panix under attack! (alexis) Sat Sep 7 01:43:27 1996
> >
> > Friday evening, starting at around 5:45, all of Panix's main mail
> > hosts were attacked from a site somewhere on the internet. I have been
> > trying to deal with this problem ever since, and the attack is still
> > happening at this time.
> >
> > The attacker is forging random source addresses on his packets, so
> > there is no way to find his/her location. There is also no way to screen
> > out those packets with a simple router filter.
> >
> > This is probably the most deadly type of denial-of-service attack
> > possible. There is no easy or quick way of dealing with it. If it continues
> > into Saturday we will start working on kernel modifications to try to
> > absorb the damage (since there's absolutely no way to avoid it). This
> > however will not be an easy job and it could take days to get done (and
> > get done right).
> >
> > For those who are IP hackers, the problem is that we're being flooded
> > with SYNs from random IP addresses on our smtp ports. We are getting
> > on average 150 packets per second (50 per host).
> >
> > We are not the only site being attacked in this way. I know of one
> > other site that is being attacked in an identical manner right now,
> > and I know of three others that have been attacked in the last two weeks.
> > I hope that this means that the attacker is merely playing malicious
> > games, and will soon tire of molesting our site. If that is the case,
> > mail will come back up as soon as the attack ends. But if the attacker
> > is really interested in damaging Panix specifically, the attack may
> > *never* stop and service won't be restored until we can write kernel
> > modifications.
> >
> > We fully understand how terrible this is. The really scary part is that
> > *no* site on the net is immune. No site can unilaterally do *Anything*
> > to protect or defend itself against this sort of attack. Only through
> > cooperation between the major (and minor!) providers can this sort of
> > problem be eliminated, and the large providers so far aren't showing
> > any interest in the problem (we are a Sprint customer, and tonight when
> > we asked for help tracing the packets back at least to their entry point
> > in Sprint's net, Sprint basically told us to drop dead).
> >
> > In case anyone's wondering, I spoke to CERT (In particular, Jim Ellis)
> > for over 90 minutes tonight. Yes, Panix and CERT have buried the hatchet.
> > CERT agrees with us about the gravity of the situation. They also see
> > no immediate solution to the problem.
> >
> > I'll try and post information about this to panix.announce, and deal with
> > discussion in panix.upgrade (for want of a better place), but that
> > won't happen immediately since I'm working on several things at once
> > right now trying to deal with this problem.
> >
> >-rw-r--r-- 1 sondheim 2201 Sep 7 02:13 /net/u/6/s/sondheim/.plan
> > 3:05am up 5 days, 10:36, 26 users, load average: 3.61, 2.83, 2.57
> >User tty login@ idle JCPU PCPU what
> >sondheim ttyp4 3:03am 1 1 w sondheim
> >
> >k:8> df
> >Filesystem kbytes used avail capacity Mounted on
> >/dev/sd0a 10007 6891 2116 77% /
> >/dev/sd0g 111447 93571 6732 93% /usr
> >/dev/sd0d 102919 30624 62004 33% /var
> >/dev/sd0f 1268446 994176 147426 87% /net/u/9
> >/dev/sd0h 1268446 1011007 130595 89% /net/u/10
> >/dev/sd1d 937406 784194 59472 93% /net/u/18
> >/dev/sd1e 937406 767067 76599 91% /net/u/19
> >panix.nfs100.access.net:/net/local
> > 834461 706933 44082 94% /net/local
> >panix.nfs100.access.net:/net/u/1
> > 2086894 1821103 57102 97% /net/u/1
> >panix.nfs100.access.net:/net/u/2
> > 2086894 1718086 160119 91% /net/u/2
> >panix.nfs100.access.net:/net/u/3
> > 1056788 899125 51985 95% /net/u/3
> >panix2.nfs100.access.net:/net/u/4
> > 1340910 1132383 74436 94% /net/u/4
> >panix2.nfs100.access.net:/net/u/5
> > 1245240 1077317 43399 96% /net/u/5
> >panix.nfs100.access.net:/net/u/7
> > 907494 772511 44234 95% /net/u/7
> >panix.nfs100.access.net:/net/u/8
> > 484607 365949 70198 84% /net/u/8
> >panix.nfs100.access.net:/net/u/11
> > 2042490 1488109 350132 81% /net/u/11
> >panix2.nfs100.access.net:/net/u/13
> > 1245240 1076936 43780 96% /net/u/13
> >panix2.nfs100.access.net:/net/u/14
> > 1245240 1052421 68295 94% /net/u/14
> >panix2.nfs100.access.net:/net/u/15
> > 1340910 1106245 100574 92% /net/u/15
> >panix2.nfs100.access.net:/net/u/16
> > 1340910 1113781 93038 92% /net/u/16
> >panix2.nfs100.access.net:/net/u/17
> > 953687 702839 155480 82% /net/u/17
> >panix.nfs100.access.net:/net/archive
> > 2042490 1488109 350132 81% /net/archive
> >panix.nfs100.access.net:/var
> > 236383 142836 69909 67% /hosts/panix/var
> >news1.nfs100.access.net:/var
> > 968836 480625 439769 52% /hosts/news1/var
> >news1.nfs100.access.net:/var/spool/news
> > 2097151 361292 1534669 19% /var/spool/news
> >news1.nfs100.access.net:/var/spool/newsdb
> > 968836 551768 368626 60% /var/spool/newsdb
> >news1.nfs100.access.net:/net/hlocal/news
> > 970732 331460 590735 36% /hosts/news1/news
> >news1.nfs100.access.net:/var/spool/news2
> > 2097151 730725 1164215 39% /var/spool/news2
> >news2.panix.com:/e 628543 40141 525548 7% /hosts/news/e
> >news2.panix.com:/f 1036526 25659 907215 3% /hosts/news/f
> >web6.panix.com:/usr/local/net_public/httpd/htdocs
> > 2097151 324571 1577218 17% /net/w/panixdocs
> >web1.panix.com:/usr/local/net_public/httpd/htdocs/corp-dirs
> > 2097151 375851 1553220 19% /net/w/1
> >web6.panix.com:/usr/local/net_public/httpd/htdocs/userdirs
> > 2097151 324571 1577218 17% /net/w/userdirs
> >web1.panix.com:/usr/local/net_public/httpd/httpd-logs
> > 380876 271361 90471 75% /net/httpd_logs/web1
> >web6.panix.com:/usr/local/net_public/httpd/httpd-logs
> > 2097151 324571 1577218 17% /net/httpd_logs/web6
> >web1.panix.com:/usr/local/net_public/httpd/data
> > 380876 271361 90471 75% /net/data/web1
> >web6.panix.com:/usr/local/net_public/httpd/data
> > 2097151 324571 1577218 17% /net/data/web6
> >198.7.0.64:/usr/local/ftp/corp-dirs
> > 380876 271361 90471 75% /net/ftp/1
> >198.7.0.65:/var/ftp/corp-dirs
> > 853494 25109 785710 3% /net/ftp/2
> >198.7.0.66:/var/ftp/corp-dirs
> > 844708 89718 712754 11% /net/ftp/3
> >198.7.0.70:/usr/local/ftp/corp-dirs
> > 842053 80814 719136 10% /net/ftp/7
> >198.7.0.71:/var/ftp/corp-dirs
> > 805037 5684 759101 1% /net/ftp/8
> >panix4.nfs100.access.net:/holding
> > 609094 401462 146723 73% /mnt
> >/dev/sd0e 1271134 993586 150435 87% /net/u/6
> >k:9>
> >
> >
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609071720.UAA20430>