---------- Forwarded message ---------- Date: Thu, 12 Sep 1996 03:31:11 +0200 (MET DST) From: Bernd Eckenfels <lists@lina.inka.de> To: Robert Hanson <roberth@cet.com> Cc: firewalls@GreatCircle.COM Subject: Re: SYN floods continue (fwd) Hi,
how do we fix zillions of machines from a "red flag" situation. or at least the ones we care about... is this not "logical"...
There are 2 fixes. The first is very simple: Every ISP has ppl to do the work. Within a few hours every SYN attack should be backtraceable, especially if one can expect it and prepare to it. Every ISP only needs the phone number of the person on the upstream isp which is providing the trace service. Additionally Tools like Argus can be used at ISPs to log the Traffic and bad conditions with source. Geenrally this is a political Fix which can be supported by Filtering and all kind of time consuming and expensive work. The other fix is to deveop a new protocol which is beeter suited for communication in an hostile environment. This is IPv6 or IPsec. Currently the is no real fix to SYN attacks. There are a few good attempts like reverse-resolving of addresses, wrap around listen-backlogs instead of fill up queues. At least systems can be enhanced to WARN about SYN Attacks. With some things like Wrap-Around queues one can at least enhance the amount of bandwith needed for a syn attack. But you can nerver gurantee operation forr servicers which are connected to the open internet. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy