W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1996

Re: Hostile webserver attack!!!!

From: Jacques Caron <jcaron@pressicom.fr>
Date: Wed, 25 Dec 1996 02:28:49 +0100
Message-Id: <l03010d01aee6328c868a@[194.150.0.169]>
To: Erez Levin <erezl@dingo.co.il>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 22:55 +0100 24/12/96, Erez Levin wrote:
[blah blah about SYN-flodd attack...]

>Is any of you guys familiar with this "SYN-flood" bombimg method?  does
>anyone know how you can located this suspects and place them under a
>"black list" of forbidden sites?

1. The SYN-flood attack has been a well-known bombing method for quite a
few weeks (months?) now.

2. There is no way of locating the originator. The inherent principle of
the method consists of sending TCP SYN packets (the first packet in a TCP
connection, used to initiate it) with a false source address, so that the
destination cannot send the SYN_ACK back, and thus gets its table of
connection in "opening" (SYN_RCVD) state overflowed.

3. Most major OSes have been patched to resist SYN flooding.

4. To prevent your site, and downstream sites from yours, if you're an ISP,
from being a source of SYN-flood attacks, you should set up access-lists on
your border routers discarding packets with a source that does not match
the corresponding network(s).

Note that this is absolutely not linked to HTTP only, but to all TCP services.

Jacques.

--- Jacques Caron - Pressicom - jcaron@pressicom.fr
    Mail:   5/7 rue Raspail - 93108 Montreuil Cedex - France
    Tel:    +33 (0)1 49 88 63 93 - Fax: +33 (0)1 49 88 75 15
    TAMTAM: +33 (0)6 06 51 02 37 <- ca a encore change.
    Planete.net: Angouleme, Bordeaux, Lille, Lyon, Marseille, Montreuil,
    Montpellier, Nancy, Nantes, Rouen et Toulouse - http://www.planete.net
Received on Tuesday, 24 December 1996 17:32:26 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:20 EDT