[BC] Internet attacks

RichardBJohnson at comcast.net RichardBJohnson at comcast.net
Thu Jul 9 09:54:21 CDT 2009 

Rule number 1. If it isn't routed, it isn't going anywhere. There is no way that anybody's PC, Sun, or even Cray is going to clog up a fiber channel.

The only transmissions that do not require a destination that responds is a ping-flood to the broadcast address and a syn-flood to same.
You don't route these do you?

If a machine is being attacked, you no longer route SYNs (connection attempts) or pings (ICMP) to it. It's that simple. This doesn't affect existing connections or attempts from the attacked machine to make connections, itself. You remove the attacked machine from the DNS so that new connections go to another.

A few IT managers who know how TCP/IP worked, is all it takes to stop this so-called crisis. Furthermore, servers that provide connections (most all), should limit the number of connections per second allowed. Let's say you configured an Apache Web Server so it will only accept one (1) connection per second. The legitimate user would not see any harmful effects. It takes at least a second to paint the screens on a typical PC. This would throttle SYN-flood attempts to where they were only noise! Note that I amn not saying to limit the number of connections (limited by resources available), only the number of connections per a unit of time.
  
Cheers,
Richard B. Johnson
Book: http://www.AbominableFirebug.com/

----- Original Message -----
From: "Chris Gebhardt" <chris at virtbiz.com>

Jonathan E. Hardis wrote:
  > I'm sure that you are absolutely right.  Attackers only hit stale IP
> addresses and never bother to get fresh addresses from DNS.
> 
> Also, about those Government idiots -- why, I bet they load-balance 
> their servers -- the fools that they are -- instead of letting a set 
> of backup machines sit idle and unused until just this sort of attack 
> happens.

Oh, careful not to over-simplify the matter!   Actually, with a lot of 
DDoS attacks, it doesn't make a difference in the world if you unplug 
the server, change the IP, move your DNS.   That might help for the 
low-level script-kiddie.

More information about the Broadcast mailing list