SYN floods (was: does history repeat itself?)

BTW, Alexis Rosen at Panix could use some help tracking down the
person(s) attacking his machines -- he's more or less being shut down
by this. He's having some trouble finding the right person at Sprint
(one of his two providers) to talk to. If the right person could get
in touch with me, I'll hook the two of you up.

Hopefully, with a little inter-provider cooperation, the guy will get
caught and arrested soon.


I'll post more a bit later (the attack is under way now).

MCI was very cooperative, but Sprint said they didn't have time or
energy (even though Panix is a Sprint customer) to help to find out
where on Sprint's network the packets are entering. (Panix has a
t1 to MCI and a t1 to Sprintlink. In fact, Panix was Sprintlink's
first ISP customer, (used to be on sl-dc-1-s0)).

For a while, the attacker was using a constant seq # (though random ports
and src addresses). We hacked the kernel to filter out that seq # in
tcp input routines.

While how to fix kernels so they're not as vulnerable to huge syn storms
is not a NANOG topic, finding the <expletives deleted regretfully> who
do this is.

More later,