At 22:55 +0100 24/12/96, Erez Levin wrote: [blah blah about SYN-flodd attack...] >Is any of you guys familiar with this "SYN-flood" bombimg method? does >anyone know how you can located this suspects and place them under a >"black list" of forbidden sites? 1. The SYN-flood attack has been a well-known bombing method for quite a few weeks (months?) now. 2. There is no way of locating the originator. The inherent principle of the method consists of sending TCP SYN packets (the first packet in a TCP connection, used to initiate it) with a false source address, so that the destination cannot send the SYN_ACK back, and thus gets its table of connection in "opening" (SYN_RCVD) state overflowed. 3. Most major OSes have been patched to resist SYN flooding. 4. To prevent your site, and downstream sites from yours, if you're an ISP, from being a source of SYN-flood attacks, you should set up access-lists on your border routers discarding packets with a source that does not match the corresponding network(s). Note that this is absolutely not linked to HTTP only, but to all TCP services. Jacques. --- Jacques Caron - Pressicom - jcaron@pressicom.fr Mail: 5/7 rue Raspail - 93108 Montreuil Cedex - France Tel: +33 (0)1 49 88 63 93 - Fax: +33 (0)1 49 88 75 15 TAMTAM: +33 (0)6 06 51 02 37 <- ca a encore change. Planete.net: Angouleme, Bordeaux, Lille, Lyon, Marseille, Montreuil, Montpellier, Nancy, Nantes, Rouen et Toulouse - http://www.planete.netReceived on Tuesday, 24 December 1996 17:32:26 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:00 UTC