This is correct. We feel that anything we would do on our end (that we're not doing already) would be ineffective. We were trying to focus on asking the ISP to do something "upstream" to resolve the issue. I did not know if there was anything else I was overlooking. I think, at one time, there was a tool out there that sort of acted as a "tar pit" for DOS. I can't for the life of me think of the name of the tool to research how effective it would be in this instance. >>> "Vitaly Osipov" <wittat_private> 06/18/02 08:13AM >>> > > Finally I would highly reccomend adding a stateful > packet filter between your ISP and your network, take > a look at netfilter.org, so you don't "have to weather > the storm" or whatever else your ISP has in store for > you. This will allow you to have a much tighter > control over the traffic entering your network as well > as traffic orininating from your network. As far as I understand, the problem is that their network becomes inaccessible during flood period. In this case any filtering on the client side (on their end of ISP connection) will not help much - flood traffic has to be filtered on fat provider's pipes, not after it filled up a thin client link. Regards, Vitaly. > > Hope this helps, > Guhan > > --- Richard Ginski <rginskiat_private> wrote: > > This past weekend, we experienced the periodic > > flooding of our network. > > The flooding caused our network to be inaccessible. > > The traffic has > > mainly been ICMP: large quantities of large spoofed > > packets...similar to > > "ping-of-death. Appropriate patching has been > > applied so the actual > > attach does not shut anything down. However, it does > > succeed in flooding > > of our network rendering it inaccessible. > > > > We are trying to figure out a way, if any, to > > mitigate this attack from > > flooding our network in the future. We tried to > > coordinate with our ISP > > upstream but they say they can't do anything....and > > we feel sending > > resets on our end would be useless and ineffective. > > We are trying to > > figure out a way to eliminate the "choke point" or > > "bottle neck" when > > the attacks occur. I feel we should be able to do > > something better than > > just "weathering the storm". > > > > > > Any suggestions? > > > > TIA > > > > > -------------------------------------------------------------------------- -- > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 09:19:58 PDT