The Matrix: MEME 2.12




MEME 2.12

D E V A S T A T I O N

A few weeks ago, I logged into Panix (Public Access Internet), my Internet service provider, located a few blocks from my house, and this is the message of the day (MOTD) which welcomed me:

(Posted by Alexis Rosen)                       Sat, Sep 07 1996 --  1:23 AM
---------------------------------------------------------------------------
Friday evening, starting at around 5:45, all of Panix's main mail 
hosts were attacked from a site somewhere on the internet. I have been
trying to deal with this problem ever since, and the attack is still      
happening at this time.
...
This is probably the most deadly type of denial-of-service attack
possible. 

---------------------------------------------------------------------------

Panix came down, its three mailservers crumbling under a flood of malevolent IP packets, cresting at 150 per second, and 6,000 users experienced sporadic Internet access. Like a death-ray from outer space, someone was focusing the full might of a new weapon on an unsuspecting and defenseless target. Rosen, on his way out the door that Friday evening, couldn't believe what he was seeing, bemoaning the tenacity of the attack in his MOTD:

"We fully understand how terrible this is. The really scary part is that *no* site on the net is immune. No site can unilaterally do *Anything* to protect or defend itself against this sort of attack."

For a week the attack continued, shifting from one server to the next, and Rosen entered into an arms race with the anonymous attacker. Each time a solution seemed close, a new attack began. The core of Panix's business was at risk -- providing Internet access to its customers. What was going on here? Was this some new, frightening discovery? Had someone found a hidden vulnerability in the Net, one which no one was immune to, or ever would be? This was the logical conclusion. After all, no one had ever seen this kind of attack before, so it must have been new. Nothing could be further from the truth.

The technique, known as SYN Flooding, was documented by 1984, if not earlier, when Bill Cheswick and Steve Bellovin published their book Firewalls and Internet Security: Repelling the Wily Hacker. "We had a paragraph in the book about it, " Cheswick told me from his office at Bell Labs, "which we removed because we knew of no way to fix it. We're sorry about it now. We should have put it in."

When Cheswick heard about the SYN attack, he spoke with Rosen and was invited over. He rushed to Panix to watch the attack first-hand and offer whatever help he could. "I wanted to understand the attack more," he said, "I wanted to see the actual packets. I wanted to see how big they were. What they looked like, where they were coming from." What he saw confirmed his fears -- there was nothing he, or anyone, could do to stop it. Panix was at the mercy of their attacker.

I N S P I R A T I O N

 

   if(!dport){
                tsunami++;              /* GOD save them... */
                fprintf(stderr,"\nTSUNAMI!\n");
                fprintf(stderr,"\nflooding port:");     
        }

                        /* Setup the sin struct with addressing information */

        sin.sin_family=AF_INET;         /* Internet address family */
        sin.sin_port=sport;             /* Source port */