From owner-freebsd-security  Sat Sep  7 14:59:01 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id OAA14809
          for security-outgoing; Sat, 7 Sep 1996 14:59:01 -0700 (PDT)
Received: from freebsd.netcom.com (freebsd.netcom.com [198.211.79.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA14803
          for <freebsd-security@freebsd.org>; Sat, 7 Sep 1996 14:58:56 -0700 (PDT)
Received: by freebsd.netcom.com (8.6.12/SMI-4.1)
	id RAA16524; Sat, 7 Sep 1996 17:04:24 -0500
From: bugs@freebsd.netcom.com (Mark Hittinger)
Message-Id: <199609072204.RAA16524@freebsd.netcom.com>
Subject: re: Panix Attack: synflooding and source routing?
To: freebsd-security@freebsd.org
Date: Sat, 7 Sep 1996 17:04:24 -0500 (CDT)
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


Netcom's IRC servers were attacked by a similar mechanism a couple of 
weeks ago - random source addresses on packets that touched telnet, smtp,
auth, irc, and then back to telnet.

A most effective attack.  We tracked it as far as we could and have more
ideas about how to follow it back now.

I'm jamming with a router buddy trying to get some code into the next cisco
release - we can detect the condition at the router and log which interface
we are getting the packets from.  If the router can query its adjacent
routers' "spray log" we'd be able to very quickly find the machine that
the kiddies are running from (naturally it will belong to somebody else :-) ).

There may be a kernel fix for this but I'm leaning towards a router based
fix at this time.

Regards,

Mark Hittinger
Netcom/Dallas
bugs@freebsd.netcom.com