On Fri, 18 Feb 2000, Randy B. Samos wrote: > > > From: "Barrett G. Lyon" <blyonat_private> > > > *snip* > > > > Is my network disrupted by this attack, and if so should I remove > > whatever it is that the attacker wants offline? If by removing the > > target will the attacker stop and if so will this keep my other > > services online? [ I have found by removing the target the attacker > > stops nearly immediately. ] > *snip* > > Hmmm. If the object of the attack was a DOS, wouldn't you be helping the > attacker reach his/her goals by taking the machine down yourself? Yes this is the general idea. If the DoS attack is saturating the bandwidth that many other services depend on, perhaps it is a good idea to have the service that is under attack offline in-order to save the rest? A good example would be that if someone is attacking customer's web site, it may be feasible to take that web site temporally offline in the hopes that the attacker will stop the attack. I would consider this a better alternative than having all customers offline. Granted this is not something you do in all cases but it can help in some events. In non-spoofed attacks it is also handy because if the target system is not reachable then some sort of ICMP unreachable will be sent back to the attacking host possibly ending the attack. -Barrett Barrett G. Lyon (NJS) Network Janitor Specialist Have fun: www.AlphaLinux.org [Q]: Hey, do they test this stuff before it's released? [A]: Sure they do... "It compiles, it's ready!"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:24 PDT