From owner-freebsd-isp  Mon Sep 16 12:56:03 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA03128
          for isp-outgoing; Mon, 16 Sep 1996 12:56:03 -0700 (PDT)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA03103
          for <freebsd-isp@freebsd.org>; Mon, 16 Sep 1996 12:56:00 -0700 (PDT)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id OAA06188; Mon, 16 Sep 1996 14:54:29 -0500
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199609161954.OAA06188@brasil.moneng.mei.com>
Subject: Re: SYN attacks in the Washington Post
To: steve@edmweb.com (Steve Reid)
Date: Mon, 16 Sep 1996 14:54:29 -0500 (CDT)
Cc: didier@omnix.fr.org, iap@vma.cc.nd.edu, linuxisp@jeffnet.org,
        freebsd-isp@freebsd.org, os2-isp@dental.stat.com
In-Reply-To: <Pine.BSF.3.91.960913124421.191B-100000@bitbucket.edmweb.com> from "Steve Reid" at Sep 13, 96 02:30:15 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 3- Set your router so that it will _not_ allow packets to be sent from
> your network with an address that doesn't match your network. For
> instance, if your network is 198.41.0.*, don't allow your router to
> send out packets unless the source address matches 198.41.0.*. This
> doesn't offer any protection to you, but it will prevent your network from
> being used to launch a SYN bombing attack. If someone does attempt it,
> they will be limited to forging adresses in your subnet (such as
> 198.41.0.253) which the victim can easily block, and you can easily
> trace. You could even go so far as to only allow addresses from valid
> hosts on your network, which will make SYN bombing from your network
> impossible. 

No, not "impossible".

In my opinion, all ISP's should do everything they can to reject bogus
addresses from originating at their site.  Anything less is incompetence.

My standard filtering firewall does numerous things, including:

Block all traffic with RFC1918 addresses as source or destination.  These
never have a valid reason for passing through a border router.

Block all inbound traffic with source addresses that are in my CIDR blocks.

Block all inbound traffic with destination addresses not in my CIDR blocks.
This is explicitly reinforcing the RFC1918 rule :-)  but that is OK.

Block all outbound traffic except traffic with a source address in
my CIDR blocks.

Block all outbound traffic except traffic with a destination address
NOT in my CIDR blocks (generally: routing errors).

You can never be too paranoid.

... JG