From: M C Wong <mcw@hpato.aus.hp.com>
Date: Fri, 13 Sep 1996 15:21:59 +0800
To: perry@piermont.com
Subject: Re: PANIX.COM down: denial of service attack
In-Reply-To: <199609130408.AAA09629@jekyll.piermont.com>
Message-ID: <199609130416.AA198858212@relay.hp.com>
MIME-Version: 1.0
Content-Type: text/plain



> M C Wong writes:
> > >                For those who are IP hackers, the problem is that we're
> > >                being flooded with SYNs from random IP addresses on
> > >                our smtp ports. We are getting on average 150 packets
> >                      ^^^^
> > 
> >                  Can't access to this port be guarded against by a filtering
> > 		 router which is configured to accept *only* a number of
> > 		 trusted MX hosts ?

> Sure -- if you only want to accept mail from fifteen machines on
> earth. If on the other hand your users might get mail from anywhere on
> earth, your mail ports have to be open to connections from anywhere.

No, I am saying that we use MX field in DNS to specify our MX hosts, so
other hosts from anywhere else will timeout connecting to the target smtp
while trying to deliver mails directly to it, and hence will have to send 
the message to next best MX host instead, and the firewall is configured 
to permit access *only* from those MX hosts.

The problem here becomes how one can protect all those MX hosts instead.
DNS cannot hide those info properly I believe since it will mean it also
hides info of mail delivery to the host, a D.O.S in itself,. 8-((

> .pm