New Denial of Service Attack on Panix

Well, my understanding of your idea was that you proposed to detect SYN
packets with unroutable src addresses before they hit the SYN_RCVD
queue. The only way to deem them unroutable is to observe
ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph

Yes, we are 'in SYN' on the approach.....

just means that an SRC address might be a perfectly routable one without
its being real - an unused address on an ethernet segment is enough for
the attack. Or thousands of them for an untraceable attack.

Yes, this also works to our advantage, it seems. As long as
the destination (the source route) is UNREACHABLE, be the
address bogus like or an unused IP address or
a machine that is off on the network, thereby being
UNREACHABLE; after some magic number of ICMP_UNREACHes
IP could block them with a system clock stamp and unblock
them after some other 'optimal deterministic' time.

Thanks for pointing out that the UNREACHABLE could just
be hosts that are turned off. The difficult case,
now that you mention it, are the UNREACHABLEs due
to a route flap or other intermediate system blip.

However, there may be some 'deterministic time'
or number of packets, etc. to set a metrics to
fine tune this.

Thanks for the feedback, BTW.

Best Regards,


I just *KNOW* I'm going to make enemies out of this...

X-Fibernet-Tip: Don't quote more than you contribute!
From: Tim Bass <>
Subject: Re: New Denial of Service Attack on Panix
To: (Dima Volodin)
Date: Wed, 2 Oct 1996 18:01:30 -0400 (EDT)
In-Reply-To: <> from "Dima Volodin" at Oct 2, 96 05:51:34 pm
X-Mailer: ELM [version 2.4 PL24]

Dima got sent a note, and then Dima got CCed. Anyone else see a problem with that?

Further, two lists got CCed, but aren't Kent and Dima BOTH on BOTH lists?

I don't mean to make a mountain out of a molehill, but I can't rightfully
gnaw the leg off a newbie for over-CCing when my colleagues do it
without contest. I know *I* don't need 2 copies of every post.

If I'm wrong...tell me.