Re: Hostile webserver attack!!!!

At 22:55 +0100 24/12/96, Erez Levin wrote:
[blah blah about SYN-flodd attack...]

>Is any of you guys familiar with this "SYN-flood" bombimg method?  does
>anyone know how you can located this suspects and place them under a
>"black list" of forbidden sites?

1. The SYN-flood attack has been a well-known bombing method for quite a
few weeks (months?) now.

2. There is no way of locating the originator. The inherent principle of
the method consists of sending TCP SYN packets (the first packet in a TCP
connection, used to initiate it) with a false source address, so that the
destination cannot send the SYN_ACK back, and thus gets its table of
connection in "opening" (SYN_RCVD) state overflowed.

3. Most major OSes have been patched to resist SYN flooding.

4. To prevent your site, and downstream sites from yours, if you're an ISP,
from being a source of SYN-flood attacks, you should set up access-lists on
your border routers discarding packets with a source that does not match
the corresponding network(s).

Note that this is absolutely not linked to HTTP only, but to all TCP services.


--- Jacques Caron - Pressicom -
    Mail:   5/7 rue Raspail - 93108 Montreuil Cedex - France
    Tel:    +33 (0)1 49 88 63 93 - Fax: +33 (0)1 49 88 75 15
    TAMTAM: +33 (0)6 06 51 02 37 <- ca a encore change. Angouleme, Bordeaux, Lille, Lyon, Marseille, Montreuil,
    Montpellier, Nancy, Nantes, Rouen et Toulouse -

Received on Tuesday, 24 December 1996 17:32:26 UTC