|
Hi List,,
I am facing some problem this day with my Bandwidth
and I thought it's because of my Back bone provider.
When I contacted him, they respond with the
following:
We
see traffic from random addresses on the Internet that are sending SYN requests
to your email server (the first of three handshakes to complete a TCP
connection). These requests are acknowledged by your email server with a SYN ACK
(the second part of three handshakes to complete a TCP connection). The random
sites that initiate the SYN request never complete the third and final part of
the handshake by sending an ACK back to the email servers SYN ACK response. This
lack of response from the site that initiated the SYN request keeps the TCP
connection up for a period of time (set by the internal configuration of TCP on
the machine the email server is located on) waiting for a response to complete
the connection. It never comes. This consumes bandwidth and machine resources
(memory and CPU cycles) until TCP decides there is no response and drops the
connection. By generating phony TCP SYN packets from random IP addresses at a
rapid rate, it is possible to fill up the connection queue and deny TCP services
(such as e-mail, file transfer, or WWW) to legitimate users. There is no easy
way to trace the originator of the attack because the IP address of the source
is forged. This is a classic SYN denial of service attack that is well documented in various papers that have been published on the topic. This type of attack can happen over any connection to the Internet. It is best controlled at the ISP of the sites that are generating the attack. In the case of a public web server or mail server facing the Internet, there is no way to determine which incoming IP source addresses are friendly and which are unfriendly. Therefore, there is no clear cut defense against an attack from a random IP address. Several options are available to your hosts: 1.) Increase the size of the connection queue (SYN ACK queue). 2.) Decrease the time-out waiting for the three-way handshake. 3.) Employ vendor software patches on your hosts to detect and circumvent the problem (if available). You should contact your host (email server) vendor to see if they have created specific patches to address the TCP SYN ACK attack. Note: Filtering IP addresses at the server is ineffective since an attacker can vary his IP address, and the address may or may not be the same as that of a legitimate host. Do you guys familiar with patches from IPswitch fixes this issue Please, Any help in this will be appreciated. Regards,, Magdy |
- [IMail Forum] imailsrv2.pl - error 200 dustin krysak
- Re: [IMail Forum] imailsrv2.pl - error 200 dustin krysak
- [IMail Forum] Who wrote imailsrv2.pl? dustin krysak
- [IMail Forum] MySQL Demo
- Re: [IMail Forum] MySQL Michael Thomas
- RE: [IMail Forum] MySQL Steven Copeland
- RE: [IMail Forum] MySQL Prasad Kanneganti
- Fw: [IMail Forum] MySQL Michael Thomas
- [IMail Forum] MySQL Ken Wilkinson
- RE: [IMail Forum] MySQL Steven Copeland
- Re: [IMail Forum] SYN ACK "DOS" Attack ON... Magdy H. Ibrahim
- Re: [IMail Forum] SYN ACK "DOS" Attac... Sanford Whiteman
