1996-09-13 - Re: PANIX.COM down: denial of service attack

Header Data

From: M C Wong <mcw@hpato.aus.hp.com>
To: frissell@panix.com (Duncan Frissell)
Message Hash: 24303faa802e4b85321ca57dbd1c698e286a7b7d9ac4fc7247050abdad0753f1
Message ID: <199609130334.AA161125684@relay.hp.com>
Reply To: <2.2.32.19960912182630.008b6324@panix.com>
UTC Datetime: 1996-09-13 08:16:02 UTC
Raw Date: Fri, 13 Sep 1996 16:16:02 +0800

Raw message

From: M C Wong <mcw@hpato.aus.hp.com>
Date: Fri, 13 Sep 1996 16:16:02 +0800
To: frissell@panix.com (Duncan Frissell)
Subject: Re: PANIX.COM down: denial of service attack
In-Reply-To: <2.2.32.19960912182630.008b6324@panix.com>
Message-ID: <199609130334.AA161125684@relay.hp.com>
MIME-Version: 1.0
Content-Type: text/plain



> Here are the gory details from the first MOTD last Saturday:

>                The attacker is forging random source addresses on his
>                packets, so there is no way to find his/her location. There
>                is also no way to screen out those packets with a simple
>                router filter.

>                This is probably the most deadly type of denial-of-service
>                attack possible. There is no easy or quick way of dealing
>                with it. If it continues into Saturday we will start working
>                on kernel modifications to try to absorb the damage
>                (since there's absolutely no way to avoid it). This
>                however will not be an easy job and it could take days to
>                get done (and get done right).

>                For those who are IP hackers, the problem is that we're
>                being flooded with SYNs from random IP addresses on
>                our smtp ports. We are getting on average 150 packets
                     ^^^^

                 Can't access to this port be guarded against by a filtering
		 router which is configured to accept *only* a number of
		 trusted MX hosts ? That is the target itself *never* permits
		 any incoming traffic to smtp port *not* in the list of trusted
		 MX hosts, which does buffering for the target ?
		 Info on such MX hosts be hidden from secured way of DNS
		 setup so attacker will not learn about the MX hosts easily.
		 In case on MX host get flooded, there will be at least one
		 backup host to take over to prevent a total D.O.S.


> Since then the packet streams have hit almost all the ports for news, www,
> telnet, etc.  

> DCF

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 M.C Wong                                  Email: mcw@hpato.aus.hp.com 
 Australian Telecom Operation              Voice: +61 3 9210 5568
 Hewlett-Packard Australia Ltd             Fax:   +61 3 9210 5550
 P.O. Box 221, Blackburn 3130, Australia





Thread