Re: [fw-wiz] Tracking down spoofing SYN flood attackers?

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 01/18/03


From: Mikael Olsson <mikael.olsson@clavister.com>
To: "Stewart, John" <johns@artesyncp.com>
Date: Sat Jan 18 21:42:45 2003


"Stewart, John" wrote:
>
> My question is how would one go about tracking [packets with spoofed
> sender addresses] down and stopping it?

You'd need to get in touch with your ISP, who hopefully can tell the
general direction these packets are coming from, and then hand off
the ball to the next one or several ISPs and ask them if they're seeing
the same traffic, etc etc, until one finds the real sender(s).

However, if this is only a few hundred packets a second, which is plenty
for a successful SYN flood but barely a trickle from a bandwidth
perspective, chances are you'll sooner or later hit a provider that
simply doesn't care. :(

There is some work underway for protocols that, once implemented in the
majority of routers out there, could aid in tracking down spoofed packets,
but AFAIK none of the alternative specifications are finished, and it
definately hasn't been rolled out anywhere.

My personal favorite is IETF Itrace:
http://www.ietf.org/html.charters/itrace-charter.html

(But, as I said, this won't help you here and now.)

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com


Relevant Pages

  • SmartTracker Logging Issue
    ... I'm using NGX 62 and for some reason I'm not seeing the packets being ... dropped within Tracker. ... I've made sure that each rule is tracking and ...
    (comp.security.firewalls)
  • Re: holy shit! this shit is just unblievable!
    ... >> expedited parcel includes tracking. ... > I ship small packets also, and I was not really aware there is included ... > insurance upto $100. ...
    (alt.marketing.online.ebay)
  • NdisOpenFile( ) gives blue screen
    ... Firstly i am tracking some packets and bound to open ... file after exchange of those packets. ... it is useless to open file in MiniportInitializeso where else ...
    (microsoft.public.development.device.drivers)
  • Re: BBC I Player, never works when you want it!
    ... It's also worth pointing out that the entire Internet is contended - no part of it can handle the theoretical volume of traffic that could be thrown at it by all the surrounding routers. ... Thus the ISP and comms providers have always been stuck with this difficult conundrum: there's a fundamental mismatch between the cost model and the revenue model. ... BT charges per phone call, but there are no per-phone-call costs to BT; the costs are pretty well all in the initial provision of the equipment. ... So it is true to say that it costs nothing to send a packet, or a million packets: the argument that the costs are "fixed" in that respect is true. ...
    (uk.tech.digital-tv)
  • Re: port 80 is open
    ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ...
    (comp.security.firewalls)