From owner-freebsd-security  Sat Sep  7 10:26:59 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA21305
          for security-outgoing; Sat, 7 Sep 1996 10:26:59 -0700 (PDT)
Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21299
          for <freebsd-security@freebsd.org>; Sat, 7 Sep 1996 10:26:56 -0700 (PDT)
Received: (from karpen@localhost) by ocean.campus.luth.se (8.7.5/8.7.3) id TAA00407 for freebsd-security@freebsd.org; Sat, 7 Sep 1996 19:28:35 +0200 (MET DST)
From: Mikael Karpberg <karpen@ocean.campus.luth.se>
Message-Id: <199609071728.TAA00407@ocean.campus.luth.se>
Subject: Re: Panix Attack: synflooding and source routing?
To: freebsd-security@freebsd.org
Date: Sat, 7 Sep 1996 19:28:34 +0200 (MET DST)
In-Reply-To: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org> from Brian Tao at "Sep 7, 96 11:44:18 am"
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


According to Brian Tao:
>     Wouldn't turning off source-routing on your border router
> alleviate most of this problem?  It won't help if you have someone
> synflooding a port from within your network, but at least it would
> prevent outside attacks.  Or is this a "one-way" attack (i.e., a
> return route to host is not needed)?
[Long message saying Panix was SYNflood attacked]

Now, I'm far from an expert in this matter, but as far as I know a SYN-flood
attack is a one way attack. You simply send TCP packet saying you'd like to
start a connection with a machine and port, and that machine answers with
an appropriate packet. That packet is simply "thrown in the void" since the
source address of the first packet was faked. Just send all those SYN
packets, however, will be enough to do serious damage, since the server will
get busy and/or crash from the flooding. And you have to let SYN packets in
or no one can connect at all, which in this case would mean no mail, at least.
And that's a Bad Thing(tm). Very effective denial of service attack.
You have to trace the source of the packets, through the routers on it's way
there. But in this case, this included Sprint's routers. And well...
Sprint seems to be generally braindamaged in a lot of situations.
This time it was saying "shove it", when someone they provided with net,
needed help. Not much Panix can do, I guess. Sad.

  /Mikael