Hi list .. I am experiencing a bad DDoS attack toward one of my server. The attack is pointed to only 1 IP on which a governmental site is hosted. Seems some folks don't like the site to stay up. As far as the Server (Linux) security is concerned, I am able to make that up serving all requests without any hesitation. My network with which I am connected to is poorly configured and allowing the DDoS attack to pass thru their routers. I am getting two kind of attacks here: - ICMP Flood Simple ICMP flood from various spoofed hosts. This I know can be blocked on the router for the particular IP. Unfortunately the network guys are still not able to do that. - SYN Flood Interesting thing. Loots of SYN requests from these kind of network/broadcasts towards port 80 only. 37.72.0.0 128.89.0.0 173.66.0.0 37.155.0.0 177.225.0.0 37.94.0.0 36.162.0.0 117.77.0.0 151.162.0.0 36.216.0.0 134.248.0.0 175.129.0.0 And the list goes oon .. The question I want to ask here, is the network/router poorly configured at my NOC which is allowing broadcasts/networks to pass through it? If so, how can I assist them to fix it? I am not a Cisco guru, so might need someone to give me some hints so that I can pass that to the poor NOC techs. Any help would be appreciated. Thanks, Muhammad Naseer
This archive was generated by hypermail 2b30 : Thu May 22 2003 - 12:10:32 PDT