Security Incidents mailing list archives
Re: ICMP/SYN Flood
From: "Muhammad Naseer Bhatti" <mail-lists () digitallinx com>
Date: Fri, 23 May 2003 00:21:45 +0500
Yes, I can always null route the IP at the router and let the traffic block there. But the question is that how can I prevent to make it not happen agian in the future. When ever I update the DNS, DDoS can be started at the new IP again. There should be some kind of protection that can be done at the router so that it won't let pass the traffic. -Naseer ----- Original Message ----- From: "Tom Vande Stouwe" <tomv () conpro net> To: "'Muhammad Naseer Bhatti'" <mail-lists () digitallinx com> Sent: Friday, May 23, 2003 12:19 AM Subject: RE: ICMP/SYN Flood
If the attack is against a particular IP, why not readdress that server and update the DNS. It might catch them off guard and the flood can be stopped by the IP at the router Tom -----Original Message----- From: Muhammad Naseer Bhatti [mailto:mail-lists () digitallinx com] Sent: Wednesday, May 21, 2003 10:47 PM To: incidents () securityfocus com Subject: ICMP/SYN Flood Hi list .. I am experiencing a bad DDoS attack toward one of my server. The attack is pointed to only 1 IP on which a governmental site is hosted. Seems some folks don't like the site to stay up. As far as the Server (Linux) security is concerned, I am able to make that up serving all requests without any hesitation. My network with which I am connected to is poorly configured and allowing the DDoS attack to pass thru their routers. I am getting two kind of attacks here: - ICMP Flood Simple ICMP flood from various spoofed hosts. This I know can be blocked on the router for the particular IP. Unfortunately the network guys are still not able to do that. - SYN Flood Interesting thing. Loots of SYN requests from these kind of network/broadcasts towards port 80 only. 37.72.0.0 128.89.0.0 173.66.0.0 37.155.0.0 177.225.0.0 37.94.0.0 36.162.0.0 117.77.0.0 151.162.0.0 36.216.0.0 134.248.0.0 175.129.0.0 And the list goes oon .. The question I want to ask here, is the network/router poorly configured at my NOC which is allowing broadcasts/networks to pass through it? If so, how can I assist them to fix it? I am not a Cisco guru, so might need someone to give me some hints so that I can pass that to the poor NOC techs. Any help would be appreciated. Thanks, Muhammad Naseer
---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- ICMP/SYN Flood Muhammad Naseer Bhatti (May 22)
- RE: ICMP/SYN Flood David Gillett (May 23)
- Re: ICMP/SYN Flood Sebastian Jaenicke (May 23)
- Re: ICMP/SYN Flood CTA (May 23)
- Re: ICMP/SYN Flood Dr J (May 23)
- <Possible follow-ups>
- Re: ICMP/SYN Flood Muhammad Naseer Bhatti (May 23)
- RE: ICMP/SYN Flood Whiteside, Larry [contractor] (May 23)