RE: DOS by Flooding a Network

From: Mike Hrubes (MHrubesat_private)
Date: Tue Jun 18 2002 - 05:37:27 PDT

Next message: David Vincent: "RE: DOS by Flooding a Network"

Previous message: Richard Ginski: "Re: DOS by Flooding a Network"
Maybe in reply to: Richard Ginski: "DOS by Flooding a Network"
Next in thread: David Vincent: "RE: DOS by Flooding a Network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We were hit with a similar attack as well.  Bottom line for many people (as well as us)?  Even trying to filter the traffic won't work.  Most companies have too small of a pipe to block or filter traffic.  The ISP is the place to go.  If they're saying they "can't" do anything, then they either don't have the technical staff on hand that can program a router, or they're just lazy.  Either way, perhaps its time to change ISPs.  I know that's no fun at all, but take it a step further.  How cooperative would they be if you had a major incident (credit card numbers taken, etc) and needed to track down the source?  Probably just as cooperative as helping to block a destination address or type of traffic during a smurf attack.

Food for thought....

-----Original Message-----
From: Richard Ginski [mailto:rginskiat_private]
Sent: Monday, June 17, 2002 11:25 AM
To: incidentsat_private
Subject: DOS by Flooding a Network

This past weekend, we experienced the periodic flooding of our network.
The flooding caused our network to be inaccessible. The traffic has
mainly been ICMP: large quantities of large spoofed packets...similar to
"ping-of-death. Appropriate patching has been applied so the actual
attach does not shut anything down. However, it does succeed in flooding
of our network rendering it inaccessible.

We are trying to figure out a way, if any, to mitigate this attack from
flooding our network in the future. We tried to coordinate with our ISP
upstream but they say they can't do anything....and we feel sending
resets on our end would be useless and ineffective. We are trying to
figure out a way to eliminate the "choke point" or "bottle neck" when
the attacks occur. I feel we should be able to do something better than
just "weathering the storm".

Any suggestions?

TIA

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: David Vincent: "RE: DOS by Flooding a Network"
Previous message: Richard Ginski: "Re: DOS by Flooding a Network"
Maybe in reply to: Richard Ginski: "DOS by Flooding a Network"
Next in thread: David Vincent: "RE: DOS by Flooding a Network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 09:23:35 PDT