New Denial of Service Attack on Panix

I want to amend my statement a bit. While it sounds like I completely ignored
Curtis' summary message from Monday, in fact, I never received any of those
nanog messages and if I had, I doubt that I would have posted my original
I faithfully read all my nanog mail and I don't understand the gaps in my

It seems to me after reading Curtis' summary that servers can be modified
to make the SYN flooding attacks much more difficult to accomplish. Perhaps
enough so that source address filtering doesn't have the urgency of
implementation and coordination that I thought before reading Curtis' note.


We too have recently gotten hit with these wonderful syn attacks, until
router logging (or whatever means we develop to trace these packets is
developed) I think there are only 2 resolutions

1) filter incoming ip's, at least on dial-ups and on non-border (or
non-core) routers for ip-spoofing. (Do not allow ip's that should not
originate over this port(s) to be passed), this will allow ISP's to stop
their users from originating these floods.
2) Fix the OS's to not be as susceptible to SYN floods. This will
eventually make the hackers board and the problem will slowely disappear.
(well, maybe)

--Dan Ellis