From owner-freebsd-hackers  Thu Sep 12 23:39:02 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA24803
          for hackers-outgoing; Thu, 12 Sep 1996 23:39:02 -0700 (PDT)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA24683
          for <freebsd-hackers@freebsd.org>; Thu, 12 Sep 1996 23:37:19 -0700 (PDT)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id WAA08859 for <freebsd-hackers@freebsd.org>; Thu, 12 Sep 1996 22:50:42 -0700
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id XAA12953; Thu, 12 Sep 1996 23:33:40 -0700
Date: Thu, 12 Sep 1996 23:33:39 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: server-linux@netscape.org
cc: freebsd-hackers@freebsd.org
Subject: Re: SYN floods - possible solution? (fwd)
Message-ID: <Pine.BSI.3.93.960912233311.11005G-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


Now here is something that could be used by sites to protect against SYN
flood attacke assuming that they can build a special custom box with
enough RAM to buffer the sockets for 30 seconds or more. How high a rate
can SYN floods come in at? I've heard of 1,000 per sec which implies that
this box needs to hold open 30,000 to 75,000 potential sockets. Is there
any problem within IPv4 (seq #'s?) that would make this inherently
impossible?

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael@memra.com

---------- Forwarded message ----------
Date: Fri, 13 Sep 1996 01:36:54 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
To: firewall-1@applicom.co.il
Cc: firewalls@GreatCircle.COM
Subject: Re: SYN floods - possible solution?

On Thu, 12 Sep 1996, Blast wrote:
> This problem has kept me awake more than coffee. :-)

Ditto... I just woke up *again* with a kludgy but potential defense...
sorry if this is totally out of whack, but I'm really beat!

Ok.  say you have a firewall between your network and you Internet
connection.  If that firewall could detect and *detain* a segment with the
SYN option set, then see if the set source IP answers an ICMP echo
request, we could effectively determine whether or not the SYN could be
dropped at the firewall and not sent through to spam our hosts.  If the
source responds, release the SYN and let it pass through to the intended
host.  If it does not, trash the SYN and log the failure.

Some moderate tracking and aging methods could be employed to
intelligently quick drop sources we know are recently offline, and lessen
the amount of echo requests we send out. 

Could this be a potential defense?  If so, what products would be best
suited to implement this?

hope this helps,
-r

Roderick Murchison, Jr.                      murchiso@vivid.newbridge.com
Newbridge Networks, Inc.                     office: (703) 708-5930
Product Manager - VIVID ACS                     fax: (703) 708-5937
Herndon, VA 22070-5241                       http://www.vivid.newbridge.com