- From: Jacques Caron <jcaron@pressicom.fr>
- Date: Wed, 25 Dec 1996 02:28:49 +0100
- To: Erez Levin <erezl@dingo.co.il>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 22:55 +0100 24/12/96, Erez Levin wrote:
[blah blah about SYN-flodd attack...]
>Is any of you guys familiar with this "SYN-flood" bombimg method? does
>anyone know how you can located this suspects and place them under a
>"black list" of forbidden sites?
1. The SYN-flood attack has been a well-known bombing method for quite a
few weeks (months?) now.
2. There is no way of locating the originator. The inherent principle of
the method consists of sending TCP SYN packets (the first packet in a TCP
connection, used to initiate it) with a false source address, so that the
destination cannot send the SYN_ACK back, and thus gets its table of
connection in "opening" (SYN_RCVD) state overflowed.
3. Most major OSes have been patched to resist SYN flooding.
4. To prevent your site, and downstream sites from yours, if you're an ISP,
from being a source of SYN-flood attacks, you should set up access-lists on
your border routers discarding packets with a source that does not match
the corresponding network(s).
Note that this is absolutely not linked to HTTP only, but to all TCP services.
Jacques.
--- Jacques Caron - Pressicom - jcaron@pressicom.fr
Mail: 5/7 rue Raspail - 93108 Montreuil Cedex - France
Tel: +33 (0)1 49 88 63 93 - Fax: +33 (0)1 49 88 75 15
TAMTAM: +33 (0)6 06 51 02 37 <- ca a encore change.
Planete.net: Angouleme, Bordeaux, Lille, Lyon, Marseille, Montreuil,
Montpellier, Nancy, Nantes, Rouen et Toulouse - http://www.planete.net
Received on Tuesday, 24 December 1996 17:32:26 UTC