RE: [cobalt-security] SYN attacks killing me! Please HELP!

["E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>]

MN> Date: Mon, 22 Jul 2002 22:05:29 -0400
MN> From: Matthew Nuzum


MN> I checked with my upstream provider and found that they
MN> handle this type of problem in their routers and switches.
MN> They use Cisco and Foundry equipment which (from what I've
MN> heard) is some of the best.

Both of those have their share of bugs; I'd not say "the best",
but I think "some of the best" is reasonable.  However, there
are some nasty bugs that cause nasty problems in the real world.
Beware of vendor hype.  (Yes, we run a fair amount of Cisco
gear.)

The correct way probably is using TCP intercept.  The one who
controls the router does this.  Blocking is ineffective and
obviously can have side-effects.

Ernesto, ask your provider to try TCP intercept.  It will block
bogus SYN requests without dropping valid ones.  Their router
should be able to handle it.


MN> However even if your ISP uses lower end hardware, they should
MN> be able to block this kind of stuff.  I'm sure they'd rather
MN> be doing other things than rebooting blue boxes all the time.
MN> 
MN> I'd really try to get those guys to help you out on this.

Agreed.

A competent provider knows what to do.  A half-competent provider
knows for what to search on Google.  An incompetent provider does
not deserve one's business. ;-)


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.