Hackers actually started this quite a few years ago -- if I recall
correctly, it happened to Panix (a large ISP in New York) around 1997 or so.
---Correct. It is not a new exploit, but one which is increasing in popularity due to
its relative ease of execution.
>During a Syn flood attack, an attacker can attempt to saturate your link
>to\from the Internet by sending spoofed syn packets to your edge
>router. If the attacker has more bandwidth at his\her disposal than you,
>then the DOS is due to link saturation.
Actually, that better describes a ping flood (which we had happen to us),
rather than a SYN flood.
---The attacks to which I am referring are high traffic syn floods, not standard ping
packet floods nor low traffic syn floods(according to firewall and bandwidth
measurement logging)
A SYN flood, though, can do damage even if the attacker's bandwidth is
small (as it will prevent access to specific services, such as web or SMTP
access).
---Correct. A syn proxy on a firewall will stop this.
>The question is this: If the attacker sent the syn flood to important
>ports, say 25 and 80, and the only defense was to block access to these
>ports way up stream, how could you get back online quickly? You could
>receive mail on your backup mx, but you could not send mail(because the
>block is bidirectional...you'd have to loop all outgoing mail through
>another imail server on another IP, I suppose) nor could you use pop if
>the attack was on 110. Has anyone been through this yet and if so, what
>creative methods did you use to defend yourself?
Probably the best way to get back online would be to switch the IP of the
mailserver, and change the DNS entries (by changing the IP associated with
the A record of the hostname referenced in the MX record). Of course, the
attacked could then change the attack to point to that IP.
---This unfortunately illustrates my point. This attack, when executed properly and
with precision, will take down your mission critical email infrastructure, or at least
part of it, until you can change and propagate dns? Then, the attacker simply
switches the syn flood to the new ip? This may raise a red flag for some of you.
This is an example of where it would be *extremely* useful to have some
sort of system in place where ISPs were required to deal with
this. Although your ISP may be 100% cooperative, they can't stop the
attack without the cooperation of the pipe where the attack is coming
from. If everyone cooperated, the source of the attack could be identified.
---But what about for now...while we wait for this to happen? I've never found the
'sitting duck' defense very effective.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no
annual licensing fees.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
