Hackers actually started this quite a few years ago -- if I recall correctly, it happened to Panix (a large ISP in New York) around 1997 or so.Has anyone had this happen yet?
During a Syn flood attack, an attacker can attempt to saturate your link to\from the Internet by sending spoofed syn packets to your edge router. If the attacker has more bandwidth at his\her disposal than you, then the DOS is due to link saturation.Actually, that better describes a ping flood (which we had happen to us), rather than a SYN flood.
A ping flood sends ping packets, and will only cause damage if the attacker's bandwidth is greater than yours (otherwise, it does no damage).
A SYN flood, though, can do damage even if the attacker's bandwidth is small (as it will prevent access to specific services, such as web or SMTP access).
The question is this: If the attacker sent the syn flood to important ports, say 25 and 80, and the only defense was to block access to these ports way up stream, how could you get back online quickly? You could receive mail on your backup mx, but you could not send mail(because the block is bidirectional...you'd have to loop all outgoing mail through another imail server on another IP, I suppose) nor could you use pop if the attack was on 110. Has anyone been through this yet and if so, what creative methods did you use to defend yourself?Probably the best way to get back online would be to switch the IP of the mailserver, and change the DNS entries (by changing the IP associated with the A record of the hostname referenced in the MX record). Of course, the attacked could then change the attack to point to that IP.
This is an example of where it would be *extremely* useful to have some sort of system in place where ISPs were required to deal with this. Although your ISP may be 100% cooperative, they can't stop the attack without the cooperation of the pipe where the attack is coming from. If everyone cooperated, the source of the attack could be identified.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no annual licensing fees.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
