Source Spoofing and SYN Flooding: Problems, Solutions, Community Views and Discussion

Avi Freedman, Net Access

Table of Contents

Stan Barber's Notes

An effective fix for SunOS BSD kernels is discussed at http://www.netaxs.com/~freedman/syn.

Both CERT and the FBI were very responsive relative to the PANIX attack. The FBI would have been happy handcuff the perp if PANIX could have identified them.

Alexis is surprised that so many people don't understand the problem and how to deal with it.

What are the future attacks there could be? There are alot of critical services that could be affected by "someone with a linux box on the net"....

This will continue as long as someone can send out packets spoofing the source IP address.

Alex believes that source IP filtering should be done on all T1 and slower customers.

Questions & Answers

Is this still going on? Can someone be prosecuted if caught?
The wave has not created yet and there are federal laws that can be used to prosecute.
What can Windows NT user do?
They do have netstat, but their queue size is something like 5 making them very suspectiable. See the comments section for others comments on this question.
Daniel McRobb comments that it is important for the router verdor to provide more router-based tools to help track this problem when it happening.

One participant is concerned that FBI is delegating this responsibility for locating the suspect to arrest. Alexis says that there appears to be considerable variation by region on this issue.

Dave O'Leary from cisco believes that some help is available in 11.2(7), and there is some testing cisco wants to do to determine the impact of this type of packet filtering on a cisco.

Copyright © 1996 Stan Barber. Reproduction with attribution granted.
Academ Consulting Services
P.O. Box 300481
Houston, Texas 77230-0481
Comments via email to www@academ.com