SYN flood messages flooding my mailbox

The site does not have to be single-homed for filtering to be applicable.

If you relax criteria for reverse-route filtering to "known route" instead
of "best route" then any customer (non-transit) AS can be filtered safely
at border routers.

Making that the default behaviour on customer-access routers would eliminate
scource-address spoofing completely.

As a remark -- the SYN flooding attack is by far not the only one which
benefits from source address spoofing. There are far more destructive
attacks (like, resetting BGP sessions; or Steve Bellovin's blind
TCP spoofing) which do not require high packet voulmes and therefore are
not easily traceable.

As for traceability -- fat load of good it does to you if you discover
that the hacker was smart enough to use an unprotected box somewhere in
Taiwan or Brazil as a staging poing for attack. I've had situations when
i traced attacks to places like that and was anything but unable to
explain local sysadmins what i wanted from them. Simply because they don't
speak English at all. There are places where they simply don't have
any laws in regard to computer crime, and no Interpol offices. Any
really malicious attacker with more than two neurons would be out of
your reach, and unhindered.

BTW, the enforcement of source address authenticity allows for automated
SYN flooding attack defenses -- if your host sees a stream of SYNs at a
rate more than X pps it simply starts to ignore the SYNs from
that particular source! (A simple algorithm would take care of roaming
sources within some network -- you just sort SYNs by buckets of different
sizes and shut down those which have SYN rate counts higher than
some threshold).


The talk I hear in the one ISP's office there:

- Boss: This crasy hacker in Singapoor have to dead!
- System manager responsible for security (hacker in the past) - OK, sir.

10 minutes later:
- Sys. man: Here is this computer. I am ready to make 'rm -rf', ok?
- Boss: OK

And then - no any problems from this site in 1 year -:slight_smile:

This is not good solution but it works.
I case if there is not Interpol in this area - there is 'rm -rf /' -:slight_smile: