Security Incidents mailing list archives
Re: DOS
From: Dom Genzano <dom () STIGROUP NET>
Date: Wed, 21 Feb 2001 15:32:54 -0500
Anderson, It looks like you're dealing with a run-of-the-mill distributed denial of service attack. Unfortunately, there's a limited amount of things that you can effectively do to slow this down. One of the simplest ways to help this is to configure 'reverse-path-forwarding' on 'ip cef' if you have a cisco router with a reasonably recent software revision between you and the attacker. There are also a number of clever tricks you can do with the products from a company called Packeteer that will minimize the impact of DDOS attacks. It seems like you may be able to filter additional tcp ports from entering your network to slow this down also (unless what I'm looking at is a result of stateful inspection). Generally speaking, stopping DDOS attacks are next to impossible- you can only slow them down. Has this been happening alot? If so, over how long a period of time? Usually this means that someone is targeting your machines specifically if it's frequent and over more than a day or so. Dom Genzano Dominic Genzano Senior Partner Secure Technology Integration Group LTD. 498 7th Avenue -17th Floor New York, NY 10018 Office: 646-435-7111 Fax: 212-202-5237 Email: dom () stigroup net -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Silveira, Anderson Sent: Wednesday, February 21, 2001 11:19 AM To: INCIDENTS () SECURITYFOCUS COM Subject: DOS Hello, Some machines on our network are being attacked frequently with this kind of flood Can somebody help me how to avoid it? Feb 20 00:12:59 bufren iplog[107]: TCP: port 267 connection attempt from 96.35.224.33:51183 Feb 20 00:12:59 bufren iplog[107]: TCP: port 269 connection attempt from 148.216.249.68:55072 Feb 20 00:12:59 bufren iplog[107]: TCP: port 270 connection attempt from 46.179.134.86:24249 Feb 20 00:12:59 bufren iplog[107]: TCP: port 274 connection attempt from 150.29.186.28:32027 Feb 20 00:12:59 bufren iplog[107]: TCP: port 279 connection attempt from 152.98.122.116:8981 Feb 20 00:12:59 bufren iplog[107]: TCP: port 281 connection attempt from 204.23.148.23:12870 Feb 20 00:12:59 bufren iplog[107]: TCP: port 275 connection attempt from 48.248.70.46:1203 Feb 20 00:12:59 bufren iplog[107]: TCP: port 277 connection attempt from 100.173.96.81:5092 Feb 20 00:12:59 bufren iplog[107]: TCP: port 272 connection attempt from 98.104.160.121:28138 Feb 20 00:12:59 bufren iplog[107]: TCP: port 276 connection attempt from 202.210.211.63:35916 Feb 20 00:12:59 bufren iplog[107]: TCP: port 284 connection attempt from 154.167.58.76:51472 Feb 20 00:12:59 bufren iplog[107]: TCP: port 285 connection attempt from 52.130.199.93:20648 Feb 20 00:12:59 bufren iplog[107]: TCP: port 286 connection attempt from 206.92.84.111:55361 And it goes until port 37000 and above, allways from a different ip number ----------------------------------------- Anderson Silveira Electrical Engineer - Security Officer ----------------------------------------- Knowledge is power - We are what we think _________________________________________________________ Oi! Você quer um iG-mail gratuito? Então clique aqui: http://www.ig.com.br/paginas/assineigmail.html