At 12:43 PM 18-02-2002 -0000, overclocking_a_la_abuelaat_private wrote: > >In-Reply-To: <3.0.5.32.20020218085949.012f4100at_private> > >When you stop the attack, the firewall recovers, but >think that in the case of ISA D.o.S. I´m sending >spoofed packets so it will be more difficult to find the >attacker ( if you have not IDS or similar ). How fast are the packets being sent? 10Mbps? Or something a lot lower like 100kbps? If it's low then it's a problem, if 10Mbps then in most cases I still don't think it's a big problem (unless your firewall is supposed to be a 100Mbps or 1Gbps rate firewall - is the firewall tested speced for 100Mbps?). Have you tried rate limiting the packets to see if you can get the same effects at lower bandwidths? That would be interesting. Because with high bandwidth usage and the transient effects it shouldn't be too difficult to quickly figure out which port to unplug/disable - unplug the right blinking port and everything is back to normal. If the attacker is inside then if it keeps happening, it might not be as difficult to find the perpetrator... If the attacker an external and sending a trojan inside then in the case of the ISA (or if proxy servers are required) the attacker has to figure out the relevant internal IPs. Furthermore if the attacker can successfully plant a trojan inside, a transient DoS like this would be welcome compared to all the other things possible (e.g. remote controlled trojan). Almost like someone sneaking in to the office and shouting continuously "arrest me". Cheerio, Link,
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 19:51:29 PST