Re: DoS help

[Dan White <dwhite () olp net>]

On 08/11/10 17:05 -0600, RandallM wrote:
> hi
> sorry for interrupting the fun in funsec,
>
> I work for a small promotional products company that today experienced
> DoS. Most of you here are above me in understanding such so i will
> spare you the whole story and am asking for advice to present to my
> CIO on what measures can be taken to prevent another day where it cost
> us $$$!

You'll probably get some good suggestions on this topic from the NANOG
list.

> Once I found the "UDP Echo request" pounding us and contacted ATT/SBC
> explaining to them how rebooting the router opened the internet for a
> few minutes until these same request started pounding again all they
> could tell me was to "email to them" a request to block.
>
> Well...the Echo request hit again our IP block address using another
> IP (both from FR.), the first hits were morning, second wer about two
> hours of it in the afternoon (I've never experienced where it hit the
> whole damn thing X.X.X.255)
>
> My CIO wants to know what can be done so they can report this to the CEO.

Depending on what services you offer or use, you could invest is hosting
your critical services in a data center that could provide expertise in
fighting DOS attacks.

> At the moment we have two Radware boxes capable of controling our DNS
> and taking two internet ISP (att or whomever we choose). In theory
> would switching our ip blocks from one ISP to the other control such?
> Or would it just also follow?

You could try negotiating a dynamic routing protocol with your ISPs that
allow you to announce a dead route for a given IP address or subnet so that
the DOS traffic doesn't get routed to you.

-- 
Dan White
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.