Re: DOS by Flooding a Network

From: jlewisat_private
Date: Mon Jun 17 2002 - 14:43:52 PDT

Next message: Skip Carter: "Re: DOS by Flooding a Network"

Previous message: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
In reply to: Richard Ginski: "DOS by Flooding a Network"
Next in thread: Jeff Kell: "New script-kiddie looking scan"
Next in thread: Skip Carter: "Re: DOS by Flooding a Network"
Reply: Jeff Kell: "New script-kiddie looking scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A real provider should be willing to blackhole route the destination
address (assuming the attack is directed at a single IP) so that your
internet connection is not flooded.  If the attack is aimed at randomly
changing IPs on your network, that makes blocking it at the upstream much
more difficult, if possible at all.


On Mon, 17 Jun 2002, Richard Ginski wrote:

> This past weekend, we experienced the periodic flooding of our network.
> The flooding caused our network to be inaccessible. The traffic has
> mainly been ICMP: large quantities of large spoofed packets...similar to
> "ping-of-death. Appropriate patching has been applied so the actual
> attach does not shut anything down. However, it does succeed in flooding
> of our network rendering it inaccessible.
>
> We are trying to figure out a way, if any, to mitigate this attack from
> flooding our network in the future. We tried to coordinate with our ISP
> upstream but they say they can't do anything....and we feel sending
> resets on our end would be useless and ineffective. We are trying to
> figure out a way to eliminate the "choke point" or "bottle neck" when
> the attacks occur. I feel we should be able to do something better than
> just "weathering the storm".
>
>
> Any suggestions?
>
> TIA
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewisat_private*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Skip Carter: "Re: DOS by Flooding a Network"
Previous message: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
In reply to: Richard Ginski: "DOS by Flooding a Network"
Next in thread: Jeff Kell: "New script-kiddie looking scan"
Next in thread: Skip Carter: "Re: DOS by Flooding a Network"
Reply: Jeff Kell: "New script-kiddie looking scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 15:17:02 PDT