Date: Fri, 13 Sep 1996 01:30:45 -0700 (PDT) From: Michael Dillon <michael@memra.com> To: nanog@merit.edu Cc: freebsd-hackers@freebsd.org Subject: Re: SYN floods - possible solution? (fwd) Message-ID: <Pine.BSI.3.93.960913012044.11005K-100000@sidhe.memra.com> In-Reply-To: <199609130820.EAA06157@panix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Sep 1996, Alexis Rosen wrote: > But... I still don't believe that this is a good global solution. Most ISPs > can't cope with this. The clue level I've been seeing among many of the > ISP "engineers" and "systems administrators" who have called in the last > few days to ask for help ("is your problem happening to me too???") is > astonishingly low. :-( Tell me about it. But if this kind of solution could be packaged up in a single box with two ethernet interfaces then a lot of less clueful ISP's could easily install such a thing and protect their whole network. If the box also provided default filters on source addresses that could help solve another problem as well. The fear of attack may well be the force which overcomes inertia here and gets more ISP's up to speed on these issues just like AIDS brought the issues of safe sex to the forefront. > I also have no clue what I'd choose to implement this on. It *could* be > done in a unix kernel but that's probably a really *bad* choice. I'm sure > plenty of people out there know some good possibilities, though. Well, the advantage to using something like FreeBSD is that it is freely available, well-documented, and eleigible for creating commercial products as long as you check copyrights carefully. Most parts of FreeBSD have no commercial use restrictions like GNU does. And FreeBSD already has the basic functionality in it including support for readily available hardware including 10baseT and 100baseTx and FDDI interfaces. Building this kind of box would be mostly an excercise in subtraction and it may well be possible to strip enough stuff out that it can all be booted off a 1.44 megabyte diskette into a diskless 486 or Pentium box with a RAMdisk. At that point all an ISP needs to do is download a file, a disk writing utility (RAWRITE.EXE) and assemble a box with certain standard components like their choice of 3 types of network card as mentioned above. If the box included ssh for the admin interface maybe it could create a precedent for router manufacturers? NOTE: I copied this one to freebsd-hackers Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.960913012044.11005K-100000>