Re: PANIX.COM down: denial of service attack

[Duncan Frissell <frissell@panix.com>]

Here are the gory details from the first MOTD last Saturday:

               The attacker is forging random source addresses on his
               packets, so there is no way to find his/her location. There
               is also no way to screen out those packets with a simple
               router filter.

               This is probably the most deadly type of denial-of-service
               attack possible. There is no easy or quick way of dealing
               with it. If it continues into Saturday we will start working
               on kernel modifications to try to absorb the damage
               (since there's absolutely no way to avoid it). This
               however will not be an easy job and it could take days to
               get done (and get done right).

               For those who are IP hackers, the problem is that we're
               being flooded with SYNs from random IP addresses on
               our smtp ports. We are getting on average 150 packets
               per second (50 per host).

               We are not the only site being attacked in this way. I
               know of one other site that is being attacked in an
               identical manner right now, and I know of three others
               that have been attacked in the last two weeks. I hope that
               this means that the attacker is merely playing malicious
               games, and will soon tire of molesting our site. If that is
               the case, mail will come back up as soon as the attack
               ends. But if the attacker is really interested in damaging
               Panix specifically, the attack may *never* stop and
               service won't be restored until we can write kernel
               modifications.


Since then the packet streams have hit almost all the ports for news, www,
telnet, etc.  

DCF