Firewall Wizards mailing list archives
Re: Tracking down spoofing SYN flood attackers?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sat, 18 Jan 2003 14:21:03 +0100
"Stewart, John" wrote:
My question is how would one go about tracking [packets with spoofed sender addresses] down and stopping it?
You'd need to get in touch with your ISP, who hopefully can tell the general direction these packets are coming from, and then hand off the ball to the next one or several ISPs and ask them if they're seeing the same traffic, etc etc, until one finds the real sender(s). However, if this is only a few hundred packets a second, which is plenty for a successful SYN flood but barely a trickle from a bandwidth perspective, chances are you'll sooner or later hit a provider that simply doesn't care. :( There is some work underway for protocols that, once implemented in the majority of routers out there, could aid in tracking down spoofed packets, but AFAIK none of the alternative specifications are finished, and it definately hasn't been rolled out anywhere. My personal favorite is IETF Itrace: http://www.ietf.org/html.charters/itrace-charter.html (But, as I said, this won't help you here and now.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Tracking down spoofing SYN flood attackers? Stewart, John (Jan 17)
- Re: Tracking down spoofing SYN flood attackers? David Pick (Jan 18)
- Re: Tracking down spoofing SYN flood attackers? Mikael Olsson (Jan 18)