On Tue, 17 Sep 1996, David Miller wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list.
Some part of the discussion involves the technical details of hardening OS kernels as well as a couple of alternate solutions for defending against the attacks involving either a SYN proxy or a machine feeding RST's. These technical details belong on the firewalls list because the people on that list work with building DEFENSIVE mechanisms.
I would suggest that it not be. This is actually a crisis that has to be solved by action taken by service providers working together, and does not involve conventional firewalls per se. I would say that it is therefore germane to Nanog.
Quite correct. We need better ways to trace the source of these attacks. We need more cooperation between providers. We need educational material that explains who should do what.
If we're voting, I'd say inet-access. SYN attacks and defense are more centered on the ISP's than the backbones.
inet-access and other ISP mailing lists are most relevant for the PREVENTION of SYN flood attacks. This is where we need to hammer home the need for filtering outgoing routes. So far we have come up with detailled instructions for configuring a Cisco, a Livingston and a Bay router to block SYN spoofing. I'd like to see instructions for a FreeBSD/Linux box running ipfwadm as well. Any others? I suppose it is relevant to tell ISP's to install hardened OS kernels but if they don't then it only hurts them, not the rest of the net. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com