SYN: from the firewalls list


how do we fix zillions of machines from a "red flag" situation. or at
least the ones we care about... is this not "logical"...

There are 2 fixes. The first is very simple: Every ISP has ppl to do the
work. Within a few hours every SYN attack should be backtraceable,
especially if one can expect it and prepare to it. Every ISP only needs the
phone number of the person on the upstream isp which is providing the trace
service. Additionally Tools like Argus can be used at ISPs to log the
Traffic and bad conditions with source. Geenrally this is a political Fix
which can be supported by Filtering and all kind of time consuming and
expensive work.

The other fix is to deveop a new protocol which is beeter suited for
communication in an hostile environment. This is IPv6 or IPsec.

Currently the is no real fix to SYN attacks. There are a few good attempts
like reverse-resolving of addresses, wrap around listen-backlogs instead of
fill up queues. At least systems can be enhanced to WARN about SYN Attacks.
With some things like Wrap-Around queues one can at least enhance the amount
of bandwith needed for a syn attack. But you can nerver gurantee operation
forr servicers which are connected to the open internet.