On Tue, 17 Sep 1996 17:21:07 -0700, Michael Dillon <michael@memra.com> wrote: +- |If it only takes 8 SYN packets to lock up a socket for 75 seconds then |effective SYN flood attacks certainly *CAN* be launched from a dialup |connection. And if the definition of an effective attack allows for |intermittently shutting down a socket then effective attacks certainly |*CAN be launched from places like Uruguay, Brazil, Indonesia and so forth. +- i agree that it is possible and this is why it is necessary to harden machines to some degree. this makes me wonder, though: since the rate cited for the attacks against panix are much higher than that, has anyone looked at trends in the inter-packet delay to see if they lend any insight as to the source? so to have a rate high enough to discount all 28.8K or less dialups and some transoceanic links is useful to some small measure. since the talk seems to be centered around specific machines being hosed, i assume that panix's links are not becoming congested. perhaps a change in the packet density during the attack might suggest that an intermediate circuit is becoming congested. if this is the case, then ISPs may be able to look at known high-use corrodors instead of groping around blindly. or, conversely, if there is a steady stream at 2Kpps, that might be enough to allow a smaller provider to discount part of the topology that is not able to support that kind of traffic. i think that Alexis said that the 2nd attack involved something like 7 panix machines--just how much bandwidth is needed to support a 2Kpps attack on 7 machines? -arthur