North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
> Have a look at the firewalls mailing list archive for more info > http://www.greatcircle.com/firewalls/archive/firewalls.9609.Z > > There are at least three things you can do to protect yourself from such > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers > of incomplete socket connections. One is to have another machine or your > network issue RST's for sockets that it thinks are part of the SYN flood I like this. > attack. And one is to install a SYN proxy machine between your net and the > Internet which catches all SYN packets and holds them until an ACK is > received at which point the SYN and the ACK are passed on to your network. I like this even more, but the potential for disaster if the box goes down is just too huge... > Such a proxy can be built to handle HUGE numbers of incomplete conections. > > Michael Dillon - ISP & Internet Consulting Avi - - - - - - - - - - - - - - - - -
|