Hi list ..
I am experiencing a bad DDoS attack toward one of my server. The attack is
pointed to only 1 IP on which a governmental site is hosted. Seems some
folks don't like the site to stay up. As far as the Server (Linux) security
is concerned, I am able to make that up serving all requests without any
hesitation. My network with which I am connected to is poorly configured and
allowing the DDoS attack to pass thru their routers. I am getting two kind
of attacks here:
- ICMP Flood
Simple ICMP flood from various spoofed hosts. This I know can be
blocked on the router for the particular IP. Unfortunately the network guys
are still not able to do that.
- SYN Flood
Interesting thing. Loots of SYN requests from these kind of
network/broadcasts towards port 80 only.
37.72.0.0
128.89.0.0
173.66.0.0
37.155.0.0
177.225.0.0
37.94.0.0
36.162.0.0
117.77.0.0
151.162.0.0
36.216.0.0
134.248.0.0
175.129.0.0
And the list goes oon .. The question I want to ask here, is the
network/router poorly configured at my NOC which is allowing
broadcasts/networks to pass through it? If so, how can I assist them to fix
it? I am not a Cisco guru, so might need someone to give me some hints so
that I can pass that to the poor NOC techs.
Any help would be appreciated.
Thanks,
Muhammad Naseer
This archive was generated by hypermail 2b30 : Thu May 22 2003 - 12:10:32 PDT