At 10:47 AM 9/17/96 -0700, Michael Dillon wrote:
Some part of the discussion involves the technical details of hardening OS kernels as well as a couple of alternate solutions for defending against the attacks involving either a SYN proxy or a machine feeding RST's. These technical details belong on the firewalls list because the people on that list work with building DEFENSIVE mechanisms.
Except that what we need are routers implementing traffic filtering on ISP input ports rather than firewalls defending customer premises from attacks coming from the ISPs. I think we are dealing with two different markets and two different groups of people. I don't think that ISPs will protect themselves from this denial of service attack with firewalls. This is a router requirement.
inet-access and other ISP mailing lists are most relevant for the PREVENTION of SYN flood attacks. This is where we need to hammer home the need for filtering outgoing routes.
Filtering incoming traffic against legitimate source addresses. The most important point is that if we all decide that defense and tracing are of limited utility and that filtering is the only way to stop these attacks, then we need a few people who read the nanog and iepg lists to stand up and say "I will filter and I expect you to do the same if you want to peer with me." Otherwise, it will be difficult for any single ISP to justify being the first to install peripheral filtering. We must have a consensus to move on this issue. Call it "peer pressure". :-) --Kent