Date: Sun, 8 Sep 1996 17:57:33 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: bugs@freebsd.netcom.com (Mark Hittinger) Cc: freebsd-security@FreeBSD.org Subject: Re: Panix Attack: synflooding and source routing? Message-ID: <199609080802.AA07044@mail.crl.com> In-Reply-To: <199609072204.RAA16524@freebsd.netcom.com> from "Mark Hittinger" at Sep 7, 96 05:04:24 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Mark Hittinger, sie said: > > > Netcom's IRC servers were attacked by a similar mechanism a couple of > weeks ago - random source addresses on packets that touched telnet, smtp, > auth, irc, and then back to telnet. > > A most effective attack. We tracked it as far as we could and have more > ideas about how to follow it back now. > > I'm jamming with a router buddy trying to get some code into the next cisco > release - we can detect the condition at the router and log which interface > we are getting the packets from. If the router can query its adjacent > routers' "spray log" we'd be able to very quickly find the machine that > the kiddies are running from (naturally it will belong to somebody else :-) ). > > There may be a kernel fix for this but I'm leaning towards a router based > fix at this time. I think it needs to be taken up at NANOG to have filters in place at all the small entry points for PPP dialups and other customers (who only have one or two networks/subnets which require Internet routing) to only permit packets onto the Internet with correct source addresses. THis doesn't prevent the attack, but it does helpp in a major way for tracking the perpetrators. darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609080802.AA07044>