North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN floods (was: does history repeat itself?)
> BTW, Alexis Rosen at Panix could use some help tracking down the > person(s) attacking his machines -- he's more or less being shut down > by this. He's having some trouble finding the right person at Sprint > (one of his two providers) to talk to. If the right person could get > in touch with me, I'll hook the two of you up. > > Hopefully, with a little inter-provider cooperation, the guy will get > caught and arrested soon. > > Perry I'll post more a bit later (the attack is under way now). MCI was very cooperative, but Sprint said they didn't have time or energy (even though Panix is a Sprint customer) to help to find out where on Sprint's network the packets are entering. (Panix has a t1 to MCI and a t1 to Sprintlink. In fact, Panix was Sprintlink's first ISP customer, (used to be on sl-dc-1-s0)). For a while, the attacker was using a constant seq # (though random ports and src addresses). We hacked the kernel to filter out that seq # in tcp input routines. While how to fix kernels so they're not as vulnerable to huge syn storms is not a NANOG topic, finding the <expletives deleted regretfully> who do this is. More later, Avi - - - - - - - - - - - - - - - - -
|