Re: DOS by Flooding a Network

From: Vitaly Osipov (wittat_private)
Date: Tue Jun 18 2002 - 05:13:17 PDT

Next message: Richard Ginski: "Re: DOS by Flooding a Network"

Previous message: Jeff Kell: "New script-kiddie looking scan"
In reply to: W.G. Iyer: "Re: DOS by Flooding a Network"
Next in thread: Richard Ginski: "Re: DOS by Flooding a Network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> Finally I would highly reccomend adding a stateful
> packet filter between your ISP and your network, take
> a look at netfilter.org, so you don't "have to weather
> the storm" or whatever else your ISP has in store for
> you. This will allow you to have a much tighter
> control over the traffic entering your network as well
> as traffic orininating from your network.

As far as I understand, the problem is that their network becomes
inaccessible during flood period. In this case any filtering on the client
side (on their end of ISP connection) will not help much - flood traffic has
to be filtered on fat provider's pipes, not after it filled up a thin client
link.

Regards,
Vitaly.

>
> Hope this helps,
> Guhan
>
> --- Richard Ginski <rginskiat_private> wrote:
> > This past weekend, we experienced the periodic
> > flooding of our network.
> > The flooding caused our network to be inaccessible.
> > The traffic has
> > mainly been ICMP: large quantities of large spoofed
> > packets...similar to
> > "ping-of-death. Appropriate patching has been
> > applied so the actual
> > attach does not shut anything down. However, it does
> > succeed in flooding
> > of our network rendering it inaccessible.
> >
> > We are trying to figure out a way, if any, to
> > mitigate this attack from
> > flooding our network in the future. We tried to
> > coordinate with our ISP
> > upstream but they say they can't do anything....and
> > we feel sending
> > resets on our end would be useless and ineffective.
> > We are trying to
> > figure out a way to eliminate the "choke point" or
> > "bottle neck" when
> > the attacks occur. I feel we should be able to do
> > something better than
> > just "weathering the storm".
> >
> >
> > Any suggestions?
> >
> > TIA
> >
> >
> --------------------------------------------------------------------------
--
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard Ginski: "Re: DOS by Flooding a Network"
Previous message: Jeff Kell: "New script-kiddie looking scan"
In reply to: W.G. Iyer: "Re: DOS by Flooding a Network"
Next in thread: Richard Ginski: "Re: DOS by Flooding a Network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 09:16:34 PDT