SYN floods - possible solution? (fwd)

-->Well, the advantage to using something like FreeBSD is that it is freely
-->available, well-documented, and eleigible for creating commercial products
-->as long as you check copyrights carefully. Most parts of FreeBSD have no
-->commercial use restrictions like GNU does.
-->And FreeBSD already has the basic functionality in it including support
-->for readily available hardware including 10baseT and 100baseTx and FDDI
-->interfaces. Building this kind of box would be mostly an excercise in
-->subtraction and it may well be possible to strip enough stuff out that it
-->can all be booted off a 1.44 megabyte diskette into a diskless 486 or
-->Pentium box with a RAMdisk.
-->At that point all an ISP needs to do is download a file, a disk writing
-->utility (RAWRITE.EXE) and assemble a box with certain standard components
-->like their choice of 3 types of network card as mentioned above. If the
-->box included ssh for the admin interface maybe it could create a precedent
-->for router manufacturers?
-->NOTE: I copied this one to freebsd-hackers
-->Michael Dillon - ISP & Internet Consulting
-->Memra Software Inc. - Fax: +1-604-546-3049
--> - E-mail:

well it's sad to say, but if you want to get the attention of anybody
around here in this clueful organisation, you have to put it on NT and
make sure microsoft supports it. I hate NT, I'd NEVER run it on my box,
but there are enough people around here that that's all they care about.
I approached our people concerning this yesterday and was stunned to see
blank stares and the question, "you mean you can . . . Why would you want
to do that? . . . They'd never strike here." so I attempted to create a
filter for our max. All that was successful in doing was destroying our
rip updates. The filtering code on a max isn't the best since they don't
concider arp an ip protocol, you have to deny all other IP then allow the
rest. I'll probably look at it some more today.


... and other discussion about <<they are updating phasers and
we are building new shields>>...

Please, note one important issue. You can protect you server from SYN attack, you
can protect it against spoofing, etc... But IF customer (cracker) will be allowed
to send packets with the ANY SRC address into the whole network, he (cracker)
will have always 1,000 different ways of cracking the Internet. He can send
DNS request with YOUR src address, he can send SYN's, he can send ICMP UNREACHABLE
and any other packets. The only shield you can use this case is _your pipe
is larger then him one_. But if there is any way to cause some server
to send 10 packets on 1 requesting UDP packet - that's all...

The ONLY way of preventing this attacks is SRC CONTROL you must have on
the boundaries with the customers. IP provider have to control customers STRICTLY.

One way to do it is _to check routing of SRC address_. Then (in this check) different
criterias of filtering can be used. The easiest is _back routing have to be the same
as direct routing_; another is _SRC from interface0 can't be routed to interface2_,

But anyway, this (by SRC) filtering is the only way of creating good shield.