Re: [fw-wiz] Tracking down spoofing SYN flood attackers?

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 01/18/03


From: Mikael Olsson <mikael.olsson@clavister.com>
To: "Stewart, John" <johns@artesyncp.com>
Date: Sat Jan 18 21:42:45 2003


"Stewart, John" wrote:
>
> My question is how would one go about tracking [packets with spoofed
> sender addresses] down and stopping it?

You'd need to get in touch with your ISP, who hopefully can tell the
general direction these packets are coming from, and then hand off
the ball to the next one or several ISPs and ask them if they're seeing
the same traffic, etc etc, until one finds the real sender(s).

However, if this is only a few hundred packets a second, which is plenty
for a successful SYN flood but barely a trickle from a bandwidth
perspective, chances are you'll sooner or later hit a provider that
simply doesn't care. :(

There is some work underway for protocols that, once implemented in the
majority of routers out there, could aid in tracking down spoofed packets,
but AFAIK none of the alternative specifications are finished, and it
definately hasn't been rolled out anywhere.

My personal favorite is IETF Itrace:
http://www.ietf.org/html.charters/itrace-charter.html

(But, as I said, this won't help you here and now.)

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com