New Denial of Service Attack on Panix


On topic: Most of the discussion has been about stopping these general
kinds of attacks from dial-up providers, ISP's. I've not heard much
about what seems to be the other major source of potential problems,
namely universities and schools.. They seem to provide a somewhat more
involved challenge in the effort to source filter outbound packets.

good point. in the incidents i've seen here at uc berkeley, about half
were sourced from dial-up providers and about half from other universities.
however, in the majority of the cases, the source host appeared to be a
compromised host, that is, the real perpetrator was actually somewhere

at least in the university environment, i think you would find that most
universities have a central networking group that would be interested in
doing the "right thing," given adequate education and resources. for the
record, i've been filtering inbound and outbound at uc berkeley since
early march 95.

                           ... So it has to happen closer to the

works better closer to the source too: the northern uc campuses are
working toward utilizing a single ds3 into an isp. if the filtering were
done at the isp's interface, the filter would have to permit any packet
with a source ip address from any of the 5 northern campus. whereas my
filters permit only uc berkeley source ip addresses. i also use some
strategically located filters in uc berkeley's interior as well.

   ... It would be interesting to hear an opinion from some networking
folks at the regionals or at campuses about whether this kind of
filtering can or will be done...

again, i think educating the local networking groups is a key issue.
in uc berkeley's case, kevin mitnick provided the education :-} as well
as the opportunity to squeeze extra $$$ out of the university administration
for a border router capable of handling the filtering.



I think that you are right on target here. I was thinking that a good way
to get the word out to the .edu community might be for someone to deliver
a paper on this problem (SYN flood and other source spoofed attacks) at
the upcoming LISA.

Any takers?