a's, b's, c's, and x's in place of the numbers...
otherwise how could we help?
--->
Robert H. Hanson LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa. Cutting Edge Communications www.cet.com
(509) 927-9541 finger: info@cet.com or email: roberth@cet.com
On Mon, 16 Sep 1996, Kai wrote:
> I sent the following off to support@livingston.com, but feel like sharing
> this is a good idea:
> -----------------------
>
> Hi there,
>
> given the recent widespread attacks on the infrastructure of the Internet via
> the SYN Flood tool published in 2600 and Phrack magazine, I decided to
> install outgoing filters on the ethernet ports of our portmasters.
> I opted for the 'log' option in the final 'deny' line.
>
> To my big surprise, the log started reporting denied packets that should
> NEVER have traversed the interface in outbound direction.
>
> After some detailed analysis, it looks like IP traffic that is directed
> by far away hosts at a local PPP dialup user who has JUST DISCONNECTED
> makes the PM (ComOS 3.3.2 release) feel like putting those packets BACK
> on the ethernet. And it's doing this for quite some time: an extreme
> case in the logs after a user disconnected shows about 200 logged deny's
> over a period of 3 minutes and 40 seconds !
>
> Obviously, this is a bad situation: it makes use of the log statement for
> the purpose of detecting spoofed IP packets useless, just at a time when
> we need it most: early detection of SYN flood attempts by 15-year-old-
> hormon-laden-king-of-the-hill-linux-weilding-IRC-warrrior-warez-trading
> "users" , causing thousands of dollars of damages by executing a small
> C program....
>
> bye,Kai
>