North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
Micheal Dillon suggests: > There are at least three things you can do to protect yourself from such > attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers > of incomplete socket connections. One is to have another machine or your > network issue RST's for sockets that it thinks are part of the SYN flood > attack. And one is to install a SYN proxy machine between your net and the > Internet which catches all SYN packets and holds them until an ACK is > received at which point the SYN and the ACK are passed on to your network. > Such a proxy can be built to handle HUGE numbers of incomplete conections. Great suggestion Mike! Much quicker to do than a stochastic analysis of the pseudo-random nature of the attack (unless your the US goverment :-) and much cheaper to implement (unless your the US goverment :-) Certainly the UNIX proxy hack is easier than resorting to code-breaking, stochastic methods. Hats off to you, Tim - - - - - - - - - - - - - - - - -
|