[BC] Internet attacks

[Chris Gebhardt]

RichardBJohnson at comcast.net wrote:
> Rule number 1. If it isn't routed, it isn't going anywhere. 

That is true.

> The only transmissions that do not require a destination that responds is a ping-flood to the broadcast address and a syn-flood to same.
> You don't route these do you?

Respectfully, a connected system doesn't have anything to do with DNS, 
so I'm not sure where you are making the connection.

> If a machine is being attacked, you no longer route SYNs (connection attempts) or pings (ICMP) to it. It's that simple. This doesn't affect existing connections or attempts from the attacked machine to make connections, itself. You remove the attacked machine from the DNS so that new connections go to another.

The part that you're missing is that you cannot advertise a single IP in 
BGP.  Likewise, you cannot "un-advertise" a single IP.   If you're 
routing for a block of IPs, then you take every one of them inside the 
block.   And nobody routes a block smaller than a /24 (aka Class C). 
You don't just go around routing for single IP's or /29's etc.

> A few IT managers who know how TCP/IP worked, is all it takes to stop this so-called crisis. Furthermore, servers that provide connections (most all), should limit the number of connections per second allowed. Let's say you configured an Apache Web Server so it will only accept one (1) connection per second. The legitimate user would not see any harmful effects. It takes at least a second to paint the screens on a typical PC. This would throttle SYN-flood attempts to where they were only noise! Note that I amn not saying to limit the number of connections (limited by resources available), only the number of connections per a unit of time.

All fine ideas.   But the issue may not be with the SERVERS.   It may be 
in the routing.

Chris Gebhardt
VIRTBIZ Internet Services
chris at virtbiz.com | (972) 485-4125